ARADIAL TECHNOLOGIES

Aradial RADIUS and Prepaid Billing Manual Version 5.x

Administration Guide

ARADIAL RADIUS AND BILLING SERVER

Administration Guide

 Aradial Technologies Ltd.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without a prior express written permission from Aradial Technologies Ltd.
All other products are trademarks or registered trademarks of their respective owners.

ii

T able of Contents
INTRODUCING ARADIAL ..................................... 1 BEFORE YOU BEGIN ................................................... 1 CONVENTIONS............................................................ 2 BASIC TERMINOLOGY................................................. 3 THE NETWORK ENVIRONMENT ................................... 4 SYSTEM REQUIREMENTS ............................................ 5 LICENSING OPTIONS ................................................... 5 INSTALLATION ........................................................... 5 WEB SERVER COMPLIANCE ........................................ 6 ARADIAL SERVICE...................................................... 7 THE ADMINISTRATOR INTERFACE.................. 9 THE ADMINISTRATOR CONSOLE PANE ........................ 9 THE ADMINISTRATOR LICENSE INFORMATION .......... 11 ARADIAL USER MANAGER ................................ 13 GROUPS ................................................................... 13 SUB GROUPS ............................................................ 25 GROUPS TIME PERIODS ............................................ 27 USERS ...................................................................... 29 METERING ............................................................... 39 IMPORTING USERS INTO ARADIAL ............................ 41 VIEWING SESSION REPORTS ..................................... 45 BLACK & WHITE LIST .............................................. 48 PREPAID CARDS ................................................... 54 CARD TYPES ............................................................ 55 GENERATE PREPAID CARDS...................................... 58 GENERATE SINGLE PREPAID CARD ........................... 62 MANAGE PREPAID CARDS ........................................ 63 PREPAID CARDS REPORTS ........................................ 66 CARD SESSION SUMMARY ........................................ 69 ONLINE SESSIONS AND GRAPHS ..................... 72 ONLINE SESSIONS..................................................... 72 GRAPHS ................................................................... 76 IP POOL MONITORING - UNDERSTANDING ARADIAL IP POOL MONITORING....................... 77 IP POOL REPOSITORY VIEW...................................... 80 SERVER CONFIGURATION ................................ 82 NAS ........................................................................ 82 IP POOLS.................................................................. 85 ADVANCED SERVER CONFIGURATION....................... 88 LDAP .................................................................... 107 DATA MANAGEMENT ............................................. 109 LOGGING CONFIGURATION ..................................... 110 ACTION LOG .......................................................... 115 BATCH ADMINISTRATION ....................................... 121 DATABASE OPERATIONS ........................................ 125 PROXY AND ROAMING ..................................... 127 ROAMING ............................................................... 128 ADDING A PROXY................................................... 128 ADDING A REALM GROUP ...................................... 128 ADDING A TARGET ................................................. 129 TIERED ADMIN ACCESS ................................... 132 BUSINESS PARTNERS ........................................ 134 ADMINISTRATOR ACTIVITIES.................................. 135 BUSINESS PARTNER SELF-CARE ACTIVITIES ........... 140 WEB SELF CARE ................................................. 148 USER SUMMARY .................................................... 149 UPDATE USER ........................................................ 150 CHANGE PASSWORD............................................... 151 VIEW SESSIONS ...................................................... 151 PACKET OF DISCONNET .................................. 153 ADMIN POD SUPPORT............................................. 153 POD CONFIGURATION ............................................ 153 RADIUS CLIENT...................................................... 153 POD API................................................................ 155 WIFI / HOTSPOT PORTAL ................................ 156 CUSTOMIZING ARADIAL PORTAL ............................ 156 WIMAX IMPLEMENTATION ............................ 160 OVERVIEW ............................................................. 160 WIMAX VSA ......................................................... 160 SERVICE DEFINITION .............................................. 161 ACCESS TO SUB-TLVS ........................................... 162 NAS SIMULATOR ................................................... 163 WIMAX FLOWS ...................................................... 163 CONFIGURING WEB SERVERS ....................... 165 MICROSOFT INTERNET INFORMATION SERVER (IIS) 165 APACHE USING API ................................................ 166 ODBC COMPATIBLE DATABASES ................. 167 MICROSOFT ACCESS............................................... 167 MICROSOFT SQL SERVER ...................................... 167 MYSQL SERVER.................................................... 168 ORACLE SERVER AND ORACLE RAC ...................... 169 NAS/ACCESS SERVER CONFIGURATION .... 170 3COM - ACCESSBUILDER ....................................... 170 3COM CORPORATION, US ROBOTICS ...................... 171

ASCEND COMMUNICATIONS, INC. MAX .............. 171 CHECKPOINT, LTD. FIREWALL 1 .......................... 172 CISCO SYSTEMS, INC. - IOS ACCESS SERVERS ......... 172 CISCO PIX FIREWALLS ........................................... 173 CISCO VOIP .......................................................... 173 QUINTUM VOIP ..................................................... 174 COMPUTONE CORPORATION INTELLISERVER/POWERRACK ................................. 175 LUCENT TECHNOLOGIES, INC. - PORTMASTER ........ 175 MICROSOFT CORPORATION - ROUTING AND REMOTE ACCESS SERVICE (RRAS) ...................................... 175 SHIVA CORPORATION - LANROVER ........................ 176 ACCESS POINT CONFIGURATION ................. 178 PROXIM AP 2500 \ NOMADIX ................................. 178 COLUBRIS .............................................................. 178 MIKROTIK .............................................................. 178 VALUEPOINT / ZYXEL / PLANET ............................. 178 CHILLISPOT / IKROS / LINKSYS / PFSENSE / DD-WRT / MONOWALL ........................................................... 178 BUFFALOTECH ....................................................... 179 HANDILINK ............................................................ 179 BLUESOCKET ......................................................... 179 NAS CONFIGURATION DATABASE ................ 183 NASCFGDBS SPLIT LINES SUPPORT ........................ 186 HTS CUSTOMIZATION ...................................... 188 DB COLUMN REFERENCE ....................................... 188 DB TABLE REFERENCE .......................................... 191 ARADIAL APPENFIX MANUALS ..................... 192 GENERAL ............................................................... 192 GENERATE USERS AND PRINT .................................. 192 BANDWIDTH MANAGMENT..................................... 192

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

Chapter

1
Introducing Aradial
Welcome to the All-In-One Remote Access and Prepaid enforcment Solution, Aradial!
Aradial is an All-In-One Remote Access solution, allowing you to maintain a common, centralized interface for all your Remote Access needs including: Management, Authentication, Authorization, and Accounting. If you are an Internet Service Provider (ISP), Wimax, Mobile and VOIP, Aradial will prove an essential tool for all your Remote Access (RA) needs, providing extensive RADIUS and prepaid management features, allowing you to save time and resources when managing your business. As a Corporate IT professional who maintains the corporate remote access facilities, Aradial aids in maintaining a common, centralized administration kit which brings together all RADIUS, management, and analysis tools you will ever require. This manual will set you on the right track, whether you are a system administrator for an ISP or an IT professional in a corporation, to unleash the awesome power of Aradial and tailor it for your specific needs.

Before You Begin

This manual is intended for both first time and experienced Aradial users. If you are a first time user, please take time to read this manual from its beginning to its end, before actually putting into practice the procedures it describes. This will aid you in understanding the logic of Aradial and using Aradial to its full potential. Not doing so might cause undoing and redoing some procedures just because you might find in each chapter better and faster ways of putting your thoughts and needs into practice. If you are an experienced Aradial user, you may use this manual as a reference guide when configuring your system. Please notice that a lot of work has been put into Aradial and this manual, yet in some cases the manual might prove outdated, just because it was printed or added to the distribution CD before some new features have been added to Aradial. If you encounter new features or changes in Aradial which are missing from this manual, please refer to Aradials Internet web site at http://www.aradial.com which will always include all latest information regarding Aradial, whether it is new features, updates to the software, or new information regarding vendors supporting RADIUS (hence supported by Aradial).

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

If you still have questions after reading this manual, and you are not able to find the information in our Internet web site. Please contact us by: Email: support@aradial.com

Conventions
C O N V E N T I O N S

Type

Italic

Valuable information You should keep this information in mind when performing the related procedure. Required step Make sure you have done this when performing the related procedure. Type in You should type in the information as described in the procedure Placeholder Indicates a placeholder for information parameters you must provide. For example, if the procedure requires you to type NAS, you need to enter the actual name of the NAS.

The conventions on the left are used throughout this manual to emphasize essential information. These conventions will help you understand how the information is valuable to you.

Paying attention to these conventions will save you precious time by pointing out the essential information, without which, your setup might not work properly.

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

Basic Terminology
Throughout this manual, you will encounter the following terminology. Make sure you understand what this terminology means, as this is the first step in understanding Aradial. The following are widely used terms: Accounting - Aradial maintains an extensive, easy to manage user database. As the administrator of this database, you are able to maintain information regarding your users, such as their name, address and contact information. Moreover, you will also manage the way in which your users connect to your system. As opposed to the limited, rudimentary accounting features usually found in a Network Access Server (NAS), Aradial accounting capabilities are almost unlimited. Authentication Your Network Access Server (NAS) uses the RADIUS protocol, described below, to ask Aradial whether the information given by the user corresponds to the information stored in Aradial database. If the information matches, the user is allowed access, if it does not, or if the user should not be allowed in, Aradial will issue the NAS a reject for the user, and depending on the reason, it also notifies the NAS why the user should not be serviced. RADIUS Or Remote Authentication Dial-In User Service, is a protocol set by the Internet Engineering Task Force (IETF) as a standard to perform authentication for dial-up users. Aradial utilizes the RADIUS protocol to communicate with Access Servers, Firewalls and other RADIUS compliant clients, allowing the authentication of users connecting to the organization's network. With Aradial and RADIUS, you will be able to keep a database of users, which can be authenticated over multiple Access Servers and/or Firewalls keeping a common security model and administrative interface. NAS Or Network Access Servers, is the device serving your remote access users and communicates with Aradial. Think of the NAS as the virtual hardware/software doors to your network. Using that same door analogy, the user knocks on the door, and Aradial is used as both the lock (to which the users key, i.e. his password, must match) and the butler which decides if the user should be let in, in case the key and lock match. NAS can be a terminal server, an access server, a router a firewall or basically any RADIUS client.

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

The Network Environment

The environment in which Aradial operates is composed of several components, some built-in within Aradial and some are external components on which Aradial relies on in order to function as required: Aradial Service is the core component of the network environment. This component takes care of the communicating with your NAS (via RADIUS), and performing the authentication, authorization and accounting tasks. ODBC, or Open Database Connectivity, is the interface used to connect between Aradial and ODBC compliant databases such as Microsofts SQL Server, Oracle and alike. Aradial uses the database to store accounting information such as Users, Groups, and management information such as NAS configuration, IP pools, etc. By default, Aradial will install and use a Microsoft Access database to store the above mentioned information, but you may use almost any database which supports ODBC, provided you have the proper tables in it. Currently Aradial ships with a script to create the required database structure under Microsofts SQL Server, My SQL server, Oracle and MS Access (mdb file). Please see our Internet web site for information regarding other databases. The Web Server, or HTTP Server, is the component used to deliver the content of Aradial to your (and your users) desktop. Aradial uses this method, as opposed to a proprietary graphical user interface (GUI), to allow an easy and portable administration. You can actually manage your system from wherever you choose, as long as you have access to your Web Server and have the proper Web Client. The Mail Agent, or SMTP Client, in an optional component used in conjunction with Aradial to deliver effortlessly e-mail any user in Aradial database. To use this feature you will need a properly configured SMTP Server. A NAS, or Network Access Server, as previously described, is the hardware/software component used as a door to your network. The Web Browser, or HTTP Client, is the component used by you as the administrator, to manage your Aradial system, and by your users to access their personal information such as session reports, invoices and account information. Aradial, by using the Web Server, described above, delivers such content to your Web Browser.

Figure 1.1: The Network Environment

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

System Requirements
Aradial requires a minimal system configuration in order to function properly. Unavailability of this minimal configuration might cause unexpected results. The following is the list of minimal requirements, in both hardware and software aspects: Hardware Quad core Pentium 2GB memory 250GB disk Sun Hardware T1000 or T2000 or any Sun Sparc based hardware Software OS: Microsoft Windows XP, Windows server 2003/8, Linux, Solaris 10 SMTP server (optional) Please notice that this is the minimal configuration. Please refer to Appendix E in order to establish the system requirements that meet your specific needs.

Licensing Options
Although this manual covers all aspects of Aradial, including all Aradial options and service, the availability of some options and services depends on the type of license you have purchased with Aradial. Your license may or may not include the following: Backup If purchased, will allow you to run a backup Aradial server on the same IP subnet as your primary Aradial server, thus ensuring fail-safe operation. EAP If purchased, will allow to authenticate EAP supplicants. Wimax If purchased, will allow to use the Wimax Forum compliancy.

Installation
Aradial shipping release is supplied as a single executable (i.e. there is no need to decompress or manually copy files) named AradialSetup-*.EXE in Windows OS and aradial-*.tar.gz in Linux OS . The actual installation is a simple process and should take no longer than 30 minutes. In order to install Aradial flawlessly, make sure the following are available on your target machine before attempting to install Aradial: An Aradial compliant Web server, please review Appendix A to see if your web server is compatible with Aradial, and how to configure it to work with Aradial.

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

Microsofts ODBC drivers. These should be available on your target machine. Administrative rights on your target machine. If you do not have these rights, please consult with your system administrator. A TCP/IP connection to your NAS, and configuration (administrative) rights on the NAS. You will need the administrative rights in order to configure your NAS for RADIUS. To install Aradial on Windows OS, proceed with these easy to follow steps: Close any programs you are running. If you are installing from the Aradial CD-ROM, insert it into your CD-ROM drive. Click the Windows Start button and select Run Type x:\ AradialSetup-*.EXE substituting x with your CD-ROM drive letter or with the path to Aradial setup file, if installing from your hard disk. 5. Click OK and follow the online instructions. To install Aradial on Linux OS, refer to the Linux Quick Installation Guide. 1. 2. 3. 4.

Web Server Compliance

As previously stated, Aradial utilizes a web server to deliver content to your, and your users, desktop. This content will allow you, as the administrator, to manage your system. Aradial currently supports two methods, or interfaces, to communicate and interact with your web server: Embedded and API. In embedded mode, the web application is embedded in its own web server, provided by Aradial. The embedded web server should be used for the Admin application and may be used for the other applications for small deployments. For larger deployments, an external web server like IIS or Apache should be used. API, or Application Programming Interface, is an extension to the web server, which extends the web server capabilities (in this case allow it to understand Aradial requests). Aradial currently supports two types of widespread APIs, both supported by many commercial, shareware and freeware web servers: ISAPI, or Internet Server API, is an API set by Microsoft to be used with their line of web servers, including Personal Web Server, Internet Information Server and Site Server. Apache is the API used for integration to the Apache web server. Many other web server vendors support ISAPI. Refer to Appendix A to see how to integrate Aradial with your specific web server.

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

Aradial Service
Under Windows, Aradial installs as a service, which means that Aradial will automatically start (if configured that way) running after a system restart, with a specific security context, as specified in the service parameters (usually as an account with administrative rights). Some low level configuration changes might require a restart of the Aradial service. This may be done in two ways: The legacy Windows way, in which you stop the service using the Services Control Panel, or via the Aradial Administration Interface. The service for Aradial, called Aradial-RADIUS, is installed during the installation process, and is set to run automatically on Windows start-up, with a system account privileges. To stop this service, using the legacy Windows method, perform the following: Open My Computer > Control Panel > Services, select Aradial RADIUS Server from the services list, and click the Stop button. Click the Start button to restart the service after it has been stopped.
Figure 1.2: The Services Control Panel

There are more Aradial services: 1. Aradial Web Admin Adminisrator of the configuration for Aradial. 2. Aradial Portal External portal used for Walled garden redirection. 3. Aradial Web Self Care a self care module for the end users to manages their accounts. 4. Aradial Interim Cleaner used for periodically cleaning online sessions and charging them when a connection about the session is lost from the NAS. In some cases, after you have made changes, the service will refuse to start, stating Service specific error: 2. In these cases, use Windows Event Viewer, to see why the service failed to load, repair the issue, and try to start the service again. The second method, using the Administration Interface, is discussed in Chapter 5, Advanced Server Configuration section, in this manual. Notice that when the Aradial service is stopped, your users will not be able to connect to your network, as no authentication, authorization and accounting operations are available. Normally there should be no reason to stop the Aradial service. You should only stop this service if specifically instructed to do so by this manual, or by an explicit message in the Administrator interface. Under Linux, Aradial is installed as a process and uses the following processes:

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

1. ./ardsever the server. 2. ./ardadmin the admin. 3. ./ardportal the portal. 4. ./ardwsc - the user self care. To start/stop the above processes type: service ardrad start/stop. To start / stop individual processes, use: service ardrad start / stop process-name, where process name is one of: radius, admin, wsc, portal or interim. To view the status of the above process type:
/usr/local/aradial/po or /usr/local/aradial/shower Or service ardrad status

A R A D I A L

R A D I U S

A N D

B I L L I N G

S E R V E R

V 5 . X

Chapter

2
The Administrator Interface
How Aradial Interacts With The Outside World.
As the administrator of your system, the interface you will be using is the Administrator interface. This interface allows you to manage most of your Aradial system such as users, groups, and the network configuration. This interface will also provide you with in-depth analysis of your system such as: how many ports are used, how many users are on-line, and much more. The Administrator interface is divided into two panes: The Console pane, which is your menu, from which you select which part of Aradial you wish to enter. The Main pane, which displays information according to the option selected in the Console pane.

The Administrator Console Pane

The Console pane, used as the menu for the Administrator interface, will allow you to select which part of the Administrator interface to access. By clicking on each of the Console pane buttons, you will either change the view in the Main pane, or open up a new branch in the Console pane, depending on which button you clicked.

The root of the Console pane has the following buttons / links: NAS & Proxy: enable a quick link to the NAS & Proxy information page. Configuration: enable quick link to Aradial configuration page Online Sessions: enable quick link to the online sessions page View Sessions: enable quick link to the view sessions page Statistic: enable quick link to the statistic page where Aradial graphs are available Prepaid Cards: enable quick link to Aradial prepaid cards interface

IP monitoring: enable quick link to the IP monitoring page where various repository views are available

10

The Administrator License Information

The Main pane displays information according to the button clicked in the Console pane. By default, the Main pane will display the Summary information:

License Number: The serial number of your Aradial server. This number will help us identify you when you apply for technical support or for upgrade information. Server Status: This displays the status of Aradial service. If the service is started, this will report online, otherwise, it will report off-line. By clicking on the reported status, the Advanced Server Configuration page will be displayed, which will enable you to start or stop the Aradial service from the Administrator interface.

11

Server Up Time: This shows you for how long Aradial has been running. Server Version: This shows you the current application version of Aradial. By clicking on the version number, your web browser will try to contact Aradials web site and check if there are any updates available to your current application version. Notice you must be connected to the Internet in order to use the version update functionality. Users On-line: This shows you how many users are currently connected to your system. By clicking the Show link, the Online Sessions page will be displayed, showing you exactly who is connected, through which NAS, and when the person has connected. Users in the Database: This shows you the current number of users in your database. Notice that this number includes the new users. By clicking on the Show link, a verbose list of your users will be displayed. Rolling Bar: The running ticker displays how many users are connected through each of your NASes. Network Access Servers Configured: This displays how many NASes are connected to Aradial. By clicking the Show link, a verbose list of all NASes will be displayed. Session 1-hour Statistics: This graph displays the number of sessions conducted in the last hour. All other pages displayed in the Main pane are divided into four categories: Query pages, in which you will need to provide information in order to perform a task. For example, the Edit User page, which will be discussed in Chapter 3. Edit pages, which will usually display all entries in their category. For example, the Edit NAS, discussed in Chapter 5, NAS, will display all configured NASes, if any. Usually, by clicking on one of the entries displayed in these pages, you may edit the entrys content. Add pages, which allow you to add new entries. Hit pages, which display information. An example for this type of pages is the Online Sessions page that displays the users that are currently connected to your network. In most case, clicking on a button in the Console pane will bring up a Hit or Query page in the Main pane. If the page is a Query, after filling it up, the response from Aradial will be displayed in the Main pane using an Edit page.

12

Chapter

Aradial User Manager

Adding Users and Groups.

Whether your network should satisfy one hundred customers all sharing the same service, or tens of thousands of users each with his own requirements and setting, Aradial user manager can handle the heat. The very simple, yet very powerful User Manager allows you to prepare yourself and Aradial for whatever needs you and your customers may require.

Groups
By using Groups, you will be able to apply a common connection model to sets of users. A Group allows you to define connection settings such as the type of service granted to each user within that Group, use sets of IP addresses, also known as IP Pools, limit the number of simultaneous users which may connect at one time, and apply NAS filters, which are access lists defined on the NAS and which may be applied to each user while logging in. To the ISP, Groups are of great importance, as they allow him to assign specific services to each user, and the ability to limit the maximum simultaneous user sessions. To the corporate administrator, Groups are essential in terms of QoS and resource management, as he is able to limit the number of simultaneous sessions for each group, and manage his IP address space better. To both, the Groups ability to assign a filter to the connecting user, will allows them to define which content the user may access. The Groups page may be reached from the Administrator interface by clicking User Manager > Add/Edit/Lookup Group.

13

The Edit page of Groups displays the following information, if any Groups have been set up: Name Which displays the name of the Group. By clicking on the name of the appropriate Group, you may edit its properties. Service The type of service granted to users in this Group. IP Pools The IP Pools used by this Group, if any. Remote IP The IP address to which a user is connected if his service type is Telnet or RLogin. Filter The filter name, as stored in the NAS, to use for the Group, if any. Filters are access lists that are administered and maintained on the NAS, and may be assigned to the user when he logs in. Please review your NAS documentation in order to understand filters better, and how to create/administer them on your NAS notice that your NAS documentation may refer to filters as Access Lists or ACLs for short. Max Sessions The maximum number of simultaneous sessions allowed for this Group. A number of 0 (zero) means there is no limit. Max User Sessions The maximum number of simultaneous sessions each single user may conduct. A number of 0 (zero) means there is no limit. Action Where the possible actions are displayed. For Groups possible actions are: Delete By clicking on this link, if the Group is not in use by any user, it may be deleted. Sub Groups The two links under Sub Groups will allow you to manage Sub Groups under the specified Group. Possible actions for Sub Groups in this page are: View Which may be used to view all Sub Groups in the specified Group. New Which may be used to add a new Sub Group to the specified Group.

14

Time Periods By clicking on the links in this column you can define Group settings based on the time of day and day of week. Time Periods are discussed thoroughly later in this chapter.

The Lookup page for Group displays the following search fields:

Group Name Use this field to find grops by their grop name. Service Type Use this field to find groups by selecting their service type. IP Pools Use this field to search for groups with matching IP Pools.Active Use this field to search for groups that are active.

15

The Add page of Groups will allow you to add a Group, using the following parameters:

Group Name Enter the name you wish to set for this Group. This name will be used to reference the Group. Service Type Select the type of service you wish to grant users in this Group. Password Source Select the Password Source for the users in this Group. By using this, the user password may be set to be acquired from ARADIAL (i.e. the user database), OS (i.e. Windows SAM), LDAP (i.e. your LDAP server), or SecurID (i.e. your ACE\Server). The default value for Password Source is <Users>, which tells ARADIAL to use the Password Source defined for each user (instead of using the one in Group). Active Which displays if users in this Group may access your network.IP Pools Enter the names of the IP Pools that should be used by this Group. Notice there are three reserved values for IP Pools: NAS Which tells the NAS to provide an IP address to the user. User Which tells the NAS that the user provides the IP address. DHCP Which tells Aradial to request and IP address from a DHCP server, and provide that IP address to the user. Notice that if no IP Pool is specified, Aradial defaults to NAS, meaning the IP address is to be

16

set by the NAS. You may specify a number of IP Pools by using a semicolon (;). For example an entry of Pool1;Pool2 will tell Aradial to use IP Pools Pool1 and Pool2. You may also define the same IP Pool in two different Groups. Aradial will automatically manage the specified address space. Notice that this is not possible when using one of the reserved type (i.e. NAS, User or DHCP)

Notice that while the USER and NAS reserved types functionality are built in the basic Aradial, DHCP is not, so using it without the proper licensing will contribute nothing. Remote IP Use this field to specify the IP address to which a user using Telnet and RLogin services should login into. Filter If a filter (or an access list) has been created on your NAS (consult your NAS documentation), you may apply the filter to the Group by specifying its name here. Enable Callback Check this checkbox to allow callback to your users (notice the callback number is in the user add/edit page). Callback is common in corporate remote access, where the corporation pays for the connection, or for additional security by making the NAS call back only a specified number. CallerID Template You may use this for higher security. If this field is not empty, only users whose CallerID matches this template will be able to log into your system. The CallerID may be either the users telephone number or the users IP address. The template may be composed from any digit 0-9, periods (.), and may include wildcards. The wildcards allowed are * (asterix) and ? (question mark). The asterix matches any sequence of characters (zero or more). The question mark matches any single character. The callerID template allows you the following options: Defining several numbers separated by commas. Each individual number may include wild cards. Ability to disallow a called number or a list of numbers by preceding the list with a '!' character

Please note: The Caller Id template can either have an allow-only semantic or disallow only semantic Please note: Since there are two possible rules (one at the User level and another at the Group level), the combined rules have the following semantics: - If at least one of the rules is disallow and the caller ID is in it, the call is rejected (regardless of the other rule, even if it is a allowed in the other level). - If one or both of the rules is allowed and the caller Id is not in *any* of the list(s), the call is rejected.

17

Examples: 7452333,7452335 (white list) allows the user to call only from one of the two numbers listed !15552121,15652342 (black list) allows the user to call from any number, except from the two numbers listed Extended RADIUS Attributes You may use this field to set custom RADIUS attributes to users in this Group. The format of attributes that may be entered here is Attr1=Val1,Attr2=Val2.Attrn=Valn where: Attr is the custom RADIUS attribute reference value you defined in the NasCfgDbs Services section. Val is a valid value that should be set for the RADIUS attribute. For example, if you have defined a an attribute named My-Attribute-1, with the value of $MyAttr1 (e.g. MyService:My-Attribute-1=$MyAttr1), you should set the following for the Custom Attributes field: $MyAttr1=value, where value is the value that attribute should receive. MultiLink Use this checkbox to tell ARADIAL that two or more simultaneous session by a user in this Group should be regarded as a MultiLink connection, so the ARADIAL handles this kind of requests correctly. Note that this option is used in connection with IP Pools to ensure that a MultiLink session will not be allocated a new IP. Auto Add on 1st Connect enable to automatically add local Aradial users in case of non local users (e.g. LDAP or OS users). The auto add is performed on the first connection attempt of these users. The benefit of having these users as local is the enhanced functionality for local users.

Maximum Simultaneous Group Sessions You may set here the number of simultaneous sessions that may be conducted by the Group. Notice that leaving this field empty, or specifying 0 (zero) will allow unlimited concurrent sessions. Maximum Simultaneous User Sessions You may set here the number of simultaneous sessions that may be conducted by each individual user. Notice that leaving this field empty, or specifying 0 (zero) will allow unlimited concurrent user sessions.

18

Notice that each User session is also counted as a Group session. For example: two Users from the same group conducting two sessions each are counted as four Group sessions.

Session Timeout This time is a configuration to send to the NAS in Access response. This is a global session timeout for the group. The causes Aradial to send session-timeout attribute to the NAS. Every session from this group will be terminated according to the MAX time entered. If Session-timeout is defined for the group the Metering and time to Expiration will not work! Idle Timeout This time is a configuration to send to the NAS in Access response. NAS can detect that a user does not have any traffic in the network and after this time it will automatically terminate the session. The value is sent in Idle-Timeout (28) RADIUS attribute. Due to the fact there are daemons running on the client machine they might generate traffic and this Idle timeout will not be applied. However, if the user shuts down the client or machine the NAS will detect it. Business Entity You may set here the business entity that the group belong too. The group will be enforced from the Business Entity self care, not to allow other Business Entity to register users to this group. Auto Expire Policy and Auto Expire Time when a user loggins to the system the account expiration will be automatically set to the time defined.

Note: The enforcement for the auto expiry happens from the second session. Meaning the initial time is not calculated and sent to the RADIUS. In the second session, the timeout for the session is calculated until the expiration time and sent to the NAS.

19

Account Start Date the date and time from which the group will be activated. Account End Date the date and time the group expires. Empty means never. Black List this is a combo box presenting the available Black or White lists in Aradial. None is the default value and means that no black list is defined for the group. Choosing a list from the combo box means that the resources defined under the selected list will be restricted and not allow making sessions (unless the sub group definition will override it). White List - this is a combo box presenting the available White or Black lists in Aradial. None is the default value and means that no white is defined for the group. Choosing a list from the combo box means that only the resources defined under the selected list will be allowed making sessions (unless the sub group definition will override it). Each other resource which is not defined in the list will be restricted.

Event Scripting Aradial permits you to execute your own programs (or third party ones) based on accounting events. The currently supported events are: After Adding A User Execute Which executes the program specified in this field when a new User is added to this Group. After Removing A User Execute Which executes the program specified in this field when a User is removed from this Group. On Password Change Execute Which executes the program specified in this field when the password of a user in this Group is changed. After De-Activating A User Execute Which executes the program specified in this field when a user in this Group is deactivated (Active unchecked). After Re-Activating A User Execute Which executes the program specified in this field when a user in this Group is reactivated (Active rechecked).

Notice that Event Scripting will not be applied to existing users that have been moved from one Group to another.

20

Event Scripting Parameters Event Scripting allows you, besides specifying a program to execute when an event occurs, to pass parameters to that program. The parameters you may use are any column in the Users and the UserDetails database tables, in the format of @db_TableName.Column@:
Table Name
Users Users Users Users Users

Column
UserIndex UserID Password GroupName UserService

Format and Description

Number. The index number of the user in the database. String. The User ID. String. The user password. Notice that this may be encrypted, thus unreadable by external programs.

Users Users Users Users

UserIP FilterName UserExpiryDate UserActive

Users Users Users UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails

CallBackNumber StartDate CallerID UserIndex FirstName LastName Company Address1 Address2 City State Country Zip PhoneHome PhoneWork PhoneFax Email CreateDate

UserDetails UserDetails UserDetails UserDetails UserDetails UserDetails

LastModify CustomInfo1 CustomInfo2 CustomInfo3 CustomInfo4 Comments

String. The name of the Group the user is in. Number. The number represents the service this user is granted, in case of an override of the Group settings. The meaning of this number may be found in the NAS Configuration Database, described in Appendix D. Number. This is the override for the Group Remote IP parameter. String. The name of the filter applied to this user, as an override to the Group Filter value. Date. The expiration date of this user. Bit. This will return 1 or 1 if the user is active, or 0 if the user is not. Notice that the number returned for a true value (Active) is subject to the database interpretation of true (either 1 or 1). String. The number to call if callback is enabled on your system. Date. The date in which the user account was (or will be) activated. Notice that dates may have special parameters, which are described later in this section. String. The CallerID template the user must match to login. Number. The index of the user in the database. String. The first name of the user. String. The last name of the user. String. The company name of the user. String. The first address line. String. The second address line. String. The user city. String. The user state. String. The user country. String. The user Zip code. String. The user home phone number. String. The user work phone number. String. The user fax number. String. The user Email address. Date. The user creation date (i.e. the date in which the user was added to your database). Notice that dates may have special parameters, which are described later in this section. Date. The date in which the user account was last modified. String. Custom information field 1 value. String. Custom information field 2 value. String. Custom information field 3 value. String. Custom information field 4 value. String. The comments entry.

In addition, the following parameter are availible: @Password@ - An unencrypted password, availible only in case of creating a user or modifying his password @Param:xxx@ - Any input HTTP parameters sent from the Hts request. @ParamGet:xxx@ - Any input HTTP parameters with get format. @ServerParam:xxx@ - An HTTP server parameter.

21

Event Scripting Guidelines When using Event Scripting, keep in mind that the scripting command is passed to Windows, thus is as limited as any command given to Windows. One obvious limitation is the number of characters that may be passed, which is 256 for Windows 95/98 (DOS limitation), and 1024 for Windows, meaning that if the total command length you are running is longer then 256/1024, characters it will be truncated. In the base directory of Aradial, there is an example script named example.bat. This example script will output any number (as long as it does not exceed the 256/1024 character limitation) of variables to your Windows root hard disk, to a file named example.out. To test this script, just put in the appropriate field, specify the variable you would like to export. For example: using example.bat UserID:@db_Users.UserID@ FirstName:@db_UserDetails.FirstName@ LastName:@db_UserDetails.LastName@ will output the User ID, his first and last name as shown in Figure 3.1: This example shows what the output file, example.out, will contain after a user has been added, with a User ID of JohnDoe, first name John and last name Doe.
example.bat UserID:@db_Users.UserID@ FirstName:@db_UserDetails.FirstName@ LastName:@db_UserDetails.LastName@

rbsexample.out file UserID:JohnDoe FirstName:John LastName:Doe

Figure 3.1: Event Scripting Example

Event Scripting Special Variable Denominators The following denominators, or tags, may be used to format Event Scripting variables: @[D{xyz}]db_TableName.Column@ - [D] is used for special date formatting, where x,y and z are used to define the date, month and year, in any order. Possible values for x, y and z, in no specific order (you may change the order and set which field, date, month and year is displayed first, then second and third): D The date, with no leading zeros. DD The date, with a leading zero (when needed). M The month number, with no leading zeros. MM The month number, with a leading zero (when needed) MMM{MMM} The first three letters of the month name. Any added ms will result in an additional letter of the month name. Y - The year, with no leading zeros. YY The year, with leading zeros (when needed, after the year 2000) YYY{Y} The last three digits of the year. Any additional ys will result in an additional digit of the year.

22

You may use any character as a separator, except for the reserved D, M, and Y upper case letters. Notice that all date tags must be upper case letters. Some examples of date tagging: @[D]db_TableName.Column@ - This is the most basic entry. The output is MMDDYY (e.g. February 22nd, 1999 is 022299) @[DMMM-DD-YYYY]db_TableName.Column@ for August 7th, 2001 is Aug-07-2001. @[DYY+D+MM]db_TableName.Column@ for June 3rd, 2002 is 02+3+06. @[length]db_TableName.Column@ - you may use any number before the db_ to enforce a maximum length on the outcome value. For example, @[4]db_TableName.Column@ will truncate the output to four characters. For example: A telephone number based Caller ID of 555*22 will accept users from any telephone number starting with 555 and ends with 22. An IP address based Caller ID of 192.110.*.* will accept users from any IP address starting with 192.110., any number, a period and another number. The question mark matches any single character. For example: A telephone number based Caller ID of 555555? will accept users from any telephone number between 555-5550 to 555-5559. An IP address based Caller ID of 192.110.100.10? will accept users from any IP address starting between 192.110.100.100 and 192.110.100.109. Notice that CallerID must be supported by your local telephony services (for telephone number CallerID) and by your NAS (for both telephone number and IP address CallerID).

Example:
Suppose your company wishes to provide two types of services For the Development Team restricted access to PPP Services, by applying the Access List NoFTP stored on your NAS. For the Accounting Department up to 6 simultaneous Telnet sessions for the entire group, and up to 2 simultaneous sessions per user, to a computer with the IP address of 192.168.10.12.

23

Create the Development Team Group first -You should: Enter Aradial Administrator interface and click on User Manager>Add Group. When the Add Group page opens, you should enter the information as follows: For the Group Name field, pick a name that will help you later to identify the group, such as DevTeam. In the Service Type selection box, select PPP. In the Filter field, enter the name of the Access List you wish to use, in this case - NoFTP. Leave the Maximum Group Sessions and Maximum User Sessions empty, to allow unlimited sessions by this group and its users. Click the Submit button to create the new group. Now create the Accounting Department Group - you should: Enter Aradial Administrator interface and click on User Manager > Add Group. When the Add Group page opens, you should enter the information as follows: For the Group Name field, pick a name that will help you later to identify the group, such as AcctDept. In the Service Type selection box, select Telnet. In the Remote IP field, enter the name of the host computer for the Telnet service you specified in the Service Type Selection. In this case, enter 192.168.10.12. Set the Maximum Group Sessions to 6 and the Maximum User Sessions to 2. Click the Submit button to create the new Group.

24

Sub Groups
Sub Groups enable you to create an environment in which a user is granted service based on his location. Sub Groups require the presence of at least two NASes in your environment, as the user location is determined by the NAS he is calling. In a Sub Group setup, the user is checked not only by his User ID and password, but also by his location (or rather, by the NAS he is coming from). Based on the different NASes through which the user may be connecting through, he is assigned to a Sub Group, which may alter the parent Group settings, and apply new ones. As stated before, Sub Groups may be accessed from the main Group edit page, in which you may select to view or add new Sub Groups, by clicking on the links in the appropriate parent Group. The view Sub Group page, much like most hit pages, will display the existing Sub Groups information:

Nas Name Which displays the name of the Sub Group. By clicking on the name of the appropriate Sub Group, you may edit its properties. Service The type of service granted to users in this Sub Group. IP Pools The IP Pools used by this Sub Group, if any. Remote IP The IP address to which a user is connected if his service type is Telnet or RLogin. Filter The filter name, as stored in the NAS, to use for the Sub Group, if any. Max Sessions The maximum number of simultaneous sessions allowed for this Sub Group. A number of 0 (zero) means there is no limitation. Max User Sessions The maximum number of simultaneous sessions each single user may conduct. A number of 0 (zero) means there is no limitation. Action Where the possible actions are displayed. For Sub Groups possible actions are: Delete By clicking on this link, the Sub Group may be deleted.

25

The new Sub Group page, much like most add pages, will allow you to add new Sub Groups to the Group by specifying the following information: NAS Name - This selection box displays the NASes you have configured. Select the NAS for which this Sub-Group should be applied. Users in the parent Group, accessing through this NAS will use the properties set in this Sub Group. The rest of the settings in Sub Groups are equivalent to Group settings, and may be used to override the parent Group settings.

26

Groups Time Periods

Group Time Periods enable you to set the Group environment based on the time of day and day in week. In a Group Time Periods setup, you can set what kind of access (if any) the user should be granted. Should you omit a time period, the default Group settings will be used. As stated before, Time Periods may be accessed from the main Group edit page, in which you may select to edit the Group Time Periods. The edit Group Time Periods page is used to both view and edit the Group Time Periods table, if there are no Group Time Periods set, Aradial will report this, and you will have the option to add Group Time Periods. If any Group Time Periods were set, the following will be displayed:

Day(s) The day(s) in week which the Group Time Period covers. By clicking on this value you may edit the Group Time Period values. Start Time The time in day(s) which the Group Time Period covers. End Time The time is day(s) after which the Group Time Period ends. Max Sessions The maximum number of simultaneous sessions allowed in this Group Time Period. A number of 0 (zero) means there is no limitation. Max User Sessions The maximum number of simultaneous sessions each single user may conduct in this Group Time Period. A number of 0 (zero) means there is no limitation. Access This field displays if users are allowed or denied access on the Group Time Period. Action Where the possible actions are displayed. For Group Time Period possible actions are: Delete By clicking on this link, the Group Time Period may be deleted.

27

Add Period By clicking on this button, you can add new Group Time Periods. After clicking on this button, you may set the following for the Group Time Period:

Day checkboxes Use these to set which day(s) the Group Time Period covers. You may click the All or None buttons in order to check or clear all day checkboxes, respectively. Start Time Use this field to set the time in day(s) which the Group Time Period should cover. End Time Use this field to set the time is day(s) after which the Group Time Period ends. Disallow Access Check this check box in order to deny access at the set Day(s) , between the Start Time and End Time. The rest of the settings in Group Time Periods are equivalent to Group settings, and may be used to override the parent Group settings.

28

Users
A user, by definition, is a person you wish to grant access to, who, by connecting to a NAS, requires authentication from Aradial. If that person does not have a user record in your database, he will not be able to access your network. Notice that there is an exception to the previous statement. NT and LDAP users do not have users records in the Aradial database, yet, when using NT or LDAP as your primary or secondary database, they will be able to access your network. The Users page may be reached from the Administrator interface by clicking User Manager > Add/Edit User. The Query page for users displays the following search fields:

User ID Use this field to search for users with a matching User ID. First Name Use this field to find users by their first name. Last Name Use this field to find users by their last name. Advanced Search By clicking on this link, you will access an advanced user search page, which will allow you to find your users by values other then available here.

29

If any users corresponding to your query were found, the following will be displayed in the Edit page:

User ID The User ID is the handle with which the user connects to your system. First Name The users first name. Last Name The users last name. Group Name The Group applied to the user. Time Bank the left time for the users sessions (Metering). MB Bank the maximum allowed traffic that is left in MB. Expirtation Date the time the user will expire. Actions Email By tagging the appropriate checkboxes, and clicking the Email button, you may send an email to users.

30

Delete By tagging the appropriate checkboxes, and clicking the Delete button, you may delete users. Global Actions Allows to tag all the users presented on the screen or reverse the tagging.

31

The Add page of users will allow you to add new Users, using the following parameters:

User ID Use this field to set the user handle required for accessing the network. Password - This field holds the user password required for accessing the network. Active - Use this checkbox to activate or deactivate the user account. A deactivated user, although still in the user database, will not be able to access the network. Force Password Use this check box to allow the usage of a weak password. You may force a weak password only if it is higher then the Minimum Password Score set in the Advanced Configuration page. Password Source This selection box allows you to override the Password Source defined for the Group this user is a member of. When using this override, the user password may be set to be acquired from ARADIAL (i.e. the user database), OS (i.e. Windows SAM), LDAP (i.e. your LDAP server), or SecurID (i.e. your ACE\Server). The default value for Password Source is <Group>, thus telling ARADIAL to retrieve this setting from this users Group. Group - Use this selection box to select a Group for the user, setting his access parameters accordingly. Administrator Rights Use this checkbox to set the level of administrative rights the user has when accessing the Administrator Interface. The default value of <NONE> will disallow users from accessing the Administrator Interface.

32

There are several admin types: <None> = regular user Co-Admin another admin user Tech Support enable to create / update users but not to configure the system Dealer Business entity has a special admin panel to manage users registered to it. API special user that is used to link between Aradial to external systems. Session Reviewer allows viewing the online users. User Reviewer same as Tech Support without permit to create / update users. Prepaid Card Generator allows generating and managing prepaid cards. Business Entity - Use this selection box to select a Business entity for the user, setting his access parameters accordingly. Notice that business entity user, used for Business entity self care must be selected to the business entity and also the Admin Type for the user should be Dealer

CallerID - Use this field to add a security check based on a user's caller ID. The caller ID may be supplied by the NAS in the forms: Phone Number- if the NAS port is connected to a modem, it will inform Aradial of the dialing in phone number (where supported by both telephone company and the NAS). IP Number - if the NAS port is coming through a network, it will inform Aradial of the incoming IP number (where supported by the NAS). MAC Address the MAC address of the machine.

Aradial will compare between the NAS supplied caller ID and this field, and if matching, it will allow the user to log in. You may use wildcards in the Caller ID field, thus allowing the user multiple points of origin. Wildcards supported are: * - Matches any sequence of characters (zero or more). For example: a Caller ID of 555*22 will accept users from any phone number starting with 555 and ending with 22. ? - Matches any single character. For example: a Caller ID of 555555? accepts users from any phone number between 555-5550 to 555-5559. The CallerId allows you the following options: Defining several numbers separated by commas.

33

Ability to disallow a called number or a list of numbers by preceding the list with a '!' character

Please note: The CallerId can either have an allow-only semantic or disallow only semantic Please note: Since there are two possible rules (one at the User level and another at the Group level), the combined rules have the following semantics: - If at least one of the rules is disallow and the caller ID is in it, the call is rejected (regardless of the other rule, even if it is a allowed in the other level). - If one or both of the rules is allowed and the caller Id is not in *any* of the list(s), the call is rejected.

Examples: 7452333,7452335 (white list) allows the user to call only from one of the two numbers listed !15552121,15652342 (black list) allow the user to call from any number, except from the two numbers listed

Callback Number - Use this field to specify the number which should be called back when the user logs in. Under some circumstances, you may wish the NAS will call back the user, thus the user will not have to pay for the phone bill. This may also be used as a security feature the user will only be able to access the system through the phone number specified here. Admin Type Use this checkbox to set the level of administrative rights the user has when accessing the Administrator Interface. The default value of <NONE> will disallow users from accessing the Administrator Interface. There are several admin types: <None> = regular user Co-Admin another admin user Tech Support enable to create / update users but not to configure the system Dealer Business entity has a special admin panel to manage users registered to it. API special user that is used to link between Aradial to external systems. Reviewer allowed seeing the online users. Business Entity - Use this selection box to select a Business entity for the user, setting his access parameters accordingly. Notice that business entity user, used for Business entity self care must be selected to the business entity and also the Admin Type for the user should be Dealer

34

User Creation Date - This field displays the date in which the user has been created. Last Modified - This field displays the date in which the user was last modified. User Activation Date - This field displays the date from which the User is (or will be) allowed to access your network. You may change the value of this field, so a user, although in the user database, will be able to connect only after the set date. User Expiration Date - This field displays the date in which the User has (or will) expire.

35

Service - This selection box allows you to override the Service Type defined for the Group this user is a member of. Remote IP If the service type of the user, or his Group, is Telnet or RLogin, use this field to override the host to which the user should connect. When using a framed service such as SLIP, CSLIP or PPP, you may use this field to set a static address for the user (i.e. each time the user connects, he will have the same IP address). Filter - You may use this field to specify the use of an access list or filter which is stored on the NAS. In case the user Group already contains a Filter value, the Filter value here will allow you to override it. RADIUS Attributes You may use this field to set custom RADIUS attributes to users in this Group. The format of attributes that may be entered here is Attr1=Val1,Attr2=Val2.Attrn=Valn where: Attr is the custom RADIUS attribute reference value you defined in the NasCfgDbs Services section. Val is a valid value that should be set for the RADIUS attribute. For example, if you have defined a an attribute named My-Attribute-1, with the value of $MyAttr1 (e.g. MyService:My-Attribute-1=$MyAttr1), you should set the following for the Custom Attributes field: $MyAttr1=value, where value is the value that attribute should receive.

36

Max Sessions - You may set here the number of simultaneous sessions that may be conducted by each individual user. This definition overrides the Group level definition and allows you to set value at the user level. Leaving this field empty means that the value will be taken from the group associated with the user. Additional Services You may set additional services you wish to grant the specific user. The main service is taken from the Service attribute of the User or the associated Group and its role is to define the access service attribute, while additional services are used for granting additional (nonaccess) services to the user. For example, email or firewall services. You can configure the user with multiple services in the following manner: Select the type of service from the combo box (from the available list) Press the Add button to grant the user with the service The service will be added to the 'additional service' field.

Note: Multiple additional services will be comma separated.

First Name - The user's first name. Last Name - The user's last name. Company - The user's company name.

37

Email - The user's Email address. This address will be used to override the default Email address when sending reports and invoices to the User. The default Email address for a user on your system is UserID@Mail.Server, where Mail.Server is defined by the SMTP Host setting in the Configuration>E-Mail page. Address, City, State, Country, Zip Code, Home Phone, Work Phone, Fax - The user's contact information.

38

Metering

Meter Bank Time this field holds the maximum time the user would be allowed to surf. When this time is depleated the user will not be able to login again. Note: The time that is returned to the NAS is calculated according to the minimum between TimeBank and the time to expiration.

Note: The Time Bank and expiration are overriding the Session-timeout in the group. Traffic - this field holds the maximum traffic for upload and download the user would be allowed to surf. When this bank is depleated the user will not be able to login again. Enforce Time and Traffic check boxes if to enforce the banks. Note: certain routers support traffic limit within a session, like Mikrotik, Chillispot, Nomadix, Colubris and others. In such cases Aradial will send the traffic limit to the router that would disconnect the users close to the breaching of the traffic limit. The configuration/script is in the Metering.tcl script.

Custom Information - These fields may be used to store any custom information you wish to keep about the user.

39

Comments - Use this text box to store general information regarding your user. Note that although only the User ID, Password, and Group Name are required fields, it is a good management strategy to store as much information as possible regarding your user.

40

Importing Users into Aradial

Aradial allows you, as discussed previously, to create new user accounts either by using the Administrator interface, through the Add/Edit User page, or by the New User interface, by filling the New User form. Aradial also allows you to import users from existing sources such as Windows and various types of text files, including UNIX passwd/shadow files, Livingston RADIUS for UNIX user files and comma separated variable (CSV) files. Importing OS / Windows users By using Aradial to import Windows users, you may achieve two tasks. One is a common security model, achieved by the fact that Aradial not only imports Windows users, but also maintains the link to the source Windows user, by using Windows passwords as the user password under Aradial. This means that if the user password is changed on Windows, the change will be maintained in Aradial, and vice versa (i.e. a Windows user password changed from Aradial will also update Windows). The second is time saving, as you will not need to add existing users manually into Aradial. Aradial refers to Windows users as OS users, and this term will be used now on. The Windows Import page may be reached from the Administrator interface by clicking Data Management > OS Users Import. Notice that this page, although related directly to Accounting, is placed under the Data Management tab. This derives from the fact that importing users is not a routine operation and is more of a system management nature. The OS Users Import page requires the following information:

Computer from which to import This selection box will list all Windows machines in your Windows domain. Usually you will import the users from your Primary Domain Controller (PDC)/Backup Domain Controller (BDC), as these are usually the machines that are used to store user accounts in a Windows domain.

41

NT /AD Group to import This selection box will list all available global (i.e. available in your NT domain) NT groups from which you may import users. By selecting a specific group, instead of All, you may import OS users from the specified group. Group to assign This selection box will list all Groups you have configured, and you may select which Group should be assigned to the imported users. Perform Event Script after adding a user Check this checkbox in order to perform the script for adding new users (if defined), as set in the Group to which you are importing the users. When importing OS users, Aradial does the following: The Windows username field is used as the OS user User ID. The Windows Full Name field is broken down at the first space character and used as the OS user First Name and Last Name. The Windows Description field is used as the OS user Comments. The Windows Password is not copied to Aradial as it is encrypted, instead, Aradial maintains a link to that password by placing the letters OS in the OS user password field. Note that currently, if you break the password link (i.e. change the password from OS to anything else), Aradial will no longer check with Windows the user password. After the import is done, Aradial will inform you if the import was successful:

n users were successfully added: The number of OS users successfully added to Aradial by the
import process.

n users were already in the database: The number of OS users that were already in Aradial
database prior to the last import, thus were not added.

n users were not added due to errors: The number of OS users that were not added due to unknown problems. A name list of all users that were not added to Aradial database will be listed under Users not added due to errors.
Importing Text File Users Importing users from text files to Aradial may prove to be a great time-saver. As most ISPs and corporate administrators keep, in one way or another, their users database on UNIX or a database that can create a CSV file, this will prove to be a fast and easy way to add those users to Aradial without consuming the time it takes to add users manually. The text file User Import page may be reached from the Administrator interface by clicking Data Management >File User Import. Notice that this page, although related directly to Accounting, is placed under the Data Management tab. This derives from the fact that importing users is not a routine operation and is more of a system management nature.

42

The File User Import page requires the following information:

Local File Name Enter the full path and file name of the file from which the users should be imported. You may use UNC (i.e. \\machine\sharedname\path\filename) or local path (i.e. drive:\path\filename). Notice that the path and filename are relative to the machine running Aradial. A local path/name will be stored on that machine. File Type Select the file type from which the users should be imported. Importable file types are: UNIX Passwd file A file, common on UNIX machines, which usually resides in the root etc directory and contains User IDs, encrypted passwords and full name of the user. UNIX Shadow file Another common user/password file on UNIX systems. Livingston RADIUS file The legacy users file used by Livingstons RADIUS for UNIX. Comma Separated Variables file Any text file in a format of user ID,password,full name,comment. Group to Assign This selection box will list all the Groups that were configured, and you may select to which Group should the imported users should be assigned. Perform Event Script after adding a user Check this checkbox in order to perform the script for adding new users (if defined), as set in the Group to which you are importing the users.

43

After the import is done, Aradial will inform you if the import was successful:

n users were successfully added: The number of text file users successfully added to Aradial by the import. n users were already in the database: The number of text file users that were already in Aradial
database prior to the last import, thus were not added.

n users were not added due to errors: The number of text users that were not added due to
unknown problems. A name list of all users that were not added to Aradial database will be listed under Users not added due to errors.

44

Viewing Session Reports

View Sessions page may be reached from the Administrator interface by clicking User Manager > View Sessions. The Query page of View Sessions displays the following information:

Report Type Select the type of Sessions Report you wish to see: Individual Sessions or Sessions Summary. The Individual Sessions report will display the user(s) sessions sorted by time of login. The Sessions Summary report will display a cumulative report for the time and bandwidth the user consumed throughout the sessions he conducted. Subtype select if the summary report would display all the users or just users that have sessions. User ID - Enter the User ID, whose sessions you wish to see, in this field. If the Start Date and End Date fields are left empty, Aradial will list all sessions for the User ID specified.

45

From Date - Enter the starting date from which to look for User Sessions. The date format depends on the Date formt in the Miscellaneous configuration) optionally followed by hh:mm:ss (for exact time search). If the User ID field is left empty, all the users sessions between the From Date and To Date will be displayed. Examples: Search with date only 20/01/10. Search with date and time 20/01/10 15:00:00. To Date - Enter the end date up to which the sessions should be searched for. The date format depends on the Date formt in the Miscellaneous configuration) optioanlly followed by hh:mm:ss (for exact time search). If the User ID field is left empty, all the users sessions between the From Date and To Date will be displayed. Business Entity List only users that belong to the Business Entity selected. MAC Address/Caller ID based on the Caller-Station-Id attribute or the Caller ID Defined In User list only users sessions that the CallerID that contains the value (MAC, Phone). Defined In Session list only sessions that the CallerID that contains the value (MAC, Phone). List only users that have thbelong to the Business Entity selected. Ascending - sort the report retults accending by date. The default is dscending. Historical Data show only users that are achived. Printable Report show the report a long formatted HTML to enable printing it to printer. Export To File - send the results to CSV file. After clicking on the Search button, a list of sessions, in case there are any, will be displayed, along with the dates in which the session took place. The Individual Sessions page will display the following information: User ID This field displays the User ID for the user who generated the session. By clicking on the User ID, you will display the user information page. NAS Name This field displays to which NAS the user connected, when the session took place. If the NAS does not exist in the database anymore, i.e. it was erased or its IP address was changed, the IP number of the original NAS will be displayed instead. NAS Port This field displays to which NAS port the user connected when the session took place. Notice that not all NASes provide this information. In case your NAS does not, this field will be blank. Login Time This field displays the time and date at which the session started.

46

Time Online (hh:mm:ss) - This field displays the duration of the session. IP Address This field display the IP address of the user. Caller ID the caller ID for the session can be MAC address or phone. Destination the call DINS for VOIP. In Mb This field displays the amount of data, in Mb, the user received (download). Out Mb This field displays the amount of data, in Mb, the user sent (upload). The Sessions Summary page will display the following information: User ID This field displays the User ID for the user who generated the session. By clicking on the User ID, you will display the user information page. Group Name This field displays to which Group the user belongs. Total Sessions - This field displays the amount of sessions. Total Hours - This field displays the overall duration of all included sessions. Total In Mb This field displays the overall amount of data, in Mb, the user received (download). Total Out Mb This field displays the overall amount of data, in Mb, the user sent (upload). From Date The date from which sessions has been included in the summary report. No Start Date value means all sessions until the End Date were included. To Date The date to which sessions has been included in the summary report. No End Date value means all sessions from Start Date until now were included. Example:
Suppose you wish to look up all sessions that took place between June 15th, 1997, and June 16th, 1998 by your user, JohnDoe: Enter Aradial Administrator interface and click on User Manager>View Sessions. When the View Sessions page opens: Select the type of report you wish to see, either Sessions Summary or Individual Sessions. Enter the User ID in the User ID field, in this case, enter JohnDoe. Enter the Start Date and End Date to set the range of time in which Sessions should be searched for. In this case, enter 06-15-1997 and 06-16-1998, respectively.

47

Black & White List

B&W List page may be found under the Administrator interface by clicking User Manager. The 'B&W List' page will allow the user to create / maintain black and white lists with the associated resources (a resource referes to phone-number or user-name). White lists and black lists is a generic mechanism that allows creating multiple lists, where each list is identified by a category and may contain any number resources. The semantics of every such list can be one of the following: Black list Membership of a given resource in the list denies access to a service. White list - Membership of a given resource in the list allows access to a service (in other words without membership in the list, access to the service is not allowed).

Pressing on the Add button will allow the user to define a new list:

Name: Free text field which allows the user to set the list name. Description: free text field which allows the user to describe the list name and/or purpose. Pressing on the Edit button will allow the user to view all available lists:

48

Name: presenting the list name as it was inserted as part of the list registration. Pressing on the name will open the above screen and will allow the user to edit the list name and description. Description: presenting the list description as it was inserted as part of the list registration Resources: provide the ability to show the available resources and/or adding new resource under the specific list. Action: The Action hyperlink provides the user the ability to delete an black/white list and all its resources. Pressing on the delete button will popup a confirmation massage. After appproval the black/white list and all of its associated resources will be deleted.

Resources page, Show hyperlink: pressing on the Show hyperlink will present the available resources defined in the list level.

49

The following options are available: Resource: the field presenting the resource value. Pressing on the resource hyper link will open the resource page and will allow the user to change or edit the resource details. Active (Resources list page): The field presenting wheather if the resource is active or deactive (see above). Group Name: The field presenting the group definition in the resource level (if was defined). In case no group was defined in the resource level the field would be empty. Action: The Action hyperlink provides the user the ability to delete a specific resource from the list. Pressing on the delete button will popup a confirmation massage. After appproval the resouce will be deleted from the list.

Resource Page:

50

Resource: the field presenting the resource value. Group Name: Aradial allows the user to set a group in the resource level. In such the resource level group will override the user associated group. case

Active (single resource page): Aradial allows the user to activate or deactivate specific resources in the list. Active means that the rule will be enforced. Not active means that the resource definition in the list will currently not be enforced.

Resources page, Add hyperlink The add button provides the user the ability to add a new resource to the list.

For field descriptions please see above 'Resource' option.

Aradial provides two algorithms to use the black/white lists functionality: Standard Authentication Algorithm The standard algorithm was enhanced to support black / white lists:

51

User Groups have an optional reference to a black list and an optional reference to a white list During authentication flow: o If the user group has a black list, then if the Calling-Station-Id is in that black list, then the request is either rejected (if the black list resource has no associated group) or the associated group is used instead o If the user group has a white list, then if the Calling-Station-Id is not in the white list. Then the request is rejected. If it is in the white list and the white list resource has an associated group, it replaces the current group There are two configuration parameters for standard auth algorithm: o BlackResourceAttribute The RADIUS attribute that is used for black list resource. Default is Caller-Station-Id. o WhiteResourceAttribute The RADIUS attribute that is used for white list resource. Default is Caller-Station-Id. Note: When Black / White lists are used with the default resource attribute of CallingStation-Id, they have the same semantics as as CallerId template, but as a global list shareable by many users / groups and with unlimited number of resources Note: When Black / White lists are used with a resource attribute of Called-Station-Id, they act as a global black / white list for the blocked / allowed numbers that can be dialed.

Black-White-List Algorithm This is a standalone algorithm that can be used to embed black/white list functionality in a custom flow. The algorithm has the following parameters: BlackWhiteResourceAttribute The RADIUS attribute that is used for black/white list resource. Default is User-Name. ListName The name of the list to use. This is a mandatory parameter. GroupOutputAttribute The name of an attribute to receive the group associated with the black/white resource in case of a match SuccessMessage A message to be sent as Port-Message in case of success (resource exists in the resource list). FailureMessage A message to be sent as Port-Message in case of failure (resource does not exist in the resource list). SuccessResponse The response RADIUS message in case of success. FailureResponse - The response RADIUS message in case of failure.

The algorithm has the following logic:

52

Fetch a resource from the Black White List Resource table based on the configured list name and the resource attribute from the request list If the resource is found and it is active then: o Copy the associated group to the group output attribute (if a group is not empty) o Return a success code. Note: Success has a different semantic for black and white lists, but the semantic is handled in the calling application / flow. Otherwise: o Return a failure code.

53

Chapter

4
Prepaid Cards
Aradial supports unlimited card / user types and allows operators to generate massive bulks of prepaid cards or users. The following features are supported by Aradial prepaid cards: Unlimited numbers of card types Card types management (add, edit, remove) Generate prepaid card batches Generate single prepaid card Full batches life cycle management Manage prepaid card batches Prepaid cards summary and detailed reports Card sessions summary Support and view historical data

54

Card Types
The Card type page can be found under Aradial main page Prepaid Cards Card Types option. The card types allows the operator to define a set of prepaid card templates, which allow easy batch generation later on. The card type entity support a set of definitions at the card level.

Adding Card Type page:

Card Type: a free text field which allow to set the card type name. The card type will be used once generating batches of prepaid cards and actually enables a segmentation capability for prepaid cards. Time Bank: holds the number of seconds at the card type level. When generating prepaid cards batch using a specific card type, the related value in the time bank will be used for the generated cards and will be enforced by Aradial. Predefined values can be selected from the drop down however, you are allowed to fill any free value by choosing the "other" option. Traffic Bank: holds the number of MB at the card type level. When generating prepaid cards batch using a specific card type, the related value in the traffic bank will be used for the generated cards and will be enforced by Aradial. Predefined values can be selected from the drop down however, you are allowed to fill any free value by choosing the "other" option.

55

Card Length: specifies the card ID length. Password Length: specifies the card password length. Password Symbols Set: a combo box which allows the user to set the password symbols. The possible values are: Alpha numeric, digits only, capital and numbers, alpha numeric readable and custom which allows the user to define and customize rules in Aradial configuration. Enable Password: selects whether the generated cards will have a password (Yes) or will not have a password (No). In case of no password, the cards will have a password source of No Password. User Name Type: decides whether to create the user names / card ID in sequential order or random order. Card Price: Set the card price. When generating the prepaid cards, the user will be able to choose a price from a predefined list or set his own price by choosing the 'other' option. Group Name: defines the group name to be associated with the created users at the card type level. Business entity: allows a business entity association. Choosing a business entity means that all created cards will be registered under the chosen business entity.

56

Edit Card Type page The edit page displays all existing card types and allows opening and editting certain details.

Card Type: the card type name. Clicking on the card type will open the selected card type in edit mode and allow changes. Time Bank: the value for the time bank Traffic Bank: the value for the traffic bank Card Length: the value for the card length Password Length: the value for the password length Price: the value for the card price Default Group Name: the value for the selected group name Business Entity: the value for the card business entity (or None if no business entity was selected)

57

Generate Prepaid Cards

The Generate prepaid cards page allows the user to generate batch of prepaid cards or adding prepaid cards to an existing batch using predefined card types or by creating new prepaid cards. The user has full control over the batch parameters and input values which allows high flexibility.

58

Card Type: allows creating a batch of prepaid card using predefined card types. The combo box will present the avaialble card types. When selecting a specific card type, the related attributes will automatically be populated. The Card type is not mandatory and the user may generate a batch using his own parameters and not using the predefined card type. For such cases, the user will be requested to fill in all input parameters for the prepaid card generation. Number of Prepaid Cards to Generate: specifies the number of cards to be created. Enable Password: selects whether the generated cards will have a password (Yes) or will not have a password (No). In case of no password, the cards will have a password source of No Password. Batch Prefix: selects the prefix to be used for the generated cards. The same prefix will be used for all created cards. Cards Batch: specifies the batch to which the cards will be assigned. You have an option to generate prepaid cards with an existing batch by selecting a batch from the combo box field, which presents the available batches in the system. For a new batch you should use the 'None' value and fill in a new batch name. Number of Seconds: number of seconds to be included in the cards time bank. You can select a value from a predefined combo box and also specify any other value by selecting the 'other' option and specifying the value.

59

Number of MegaBytes: number of MB to be included in the cards traffic bank. You can select a value from a predefined combo box and also specify any other value by selecting the 'other' option and specifying the value. Card Number Size: the size of the generated card. This is also the user ID which will be used for the user authentication. Expiration Date: allows setting an expiration date for the cards. Blank value means no expiration date. Create Active: weather to create the cards as active (and ready for use) or not. Active cards are ready for use while non-active cards require manual activation (please refer to the Manage section). Password Symbols Set: a combo box which enables to set the password symbols. The possible values are: Alpha numeric, digits only, capital and numbers, alpha numeric readable and custom which allows the you to define and customize rules in Aradial configuration. User Name Type: decides weather to create the card ID in a sequential order or a random order. Start Number in Range to Generate: the field specifies the start number to be used after the batch prefix. For example: batch prefix A with start number 10000 and card length 6 will generate the following cards: A10000, A10001, etc Card Price: specifies the card price. Will be filled automatically when using a predefined card type. Password Size: specifies the password size to created for the cards. Group to Assign: specifies the group the cards will be created under. Business Entity: specifies the business entity the cards will be created under. Return Detailed Results: checking this flag means that the generated prepaid cards will be presented on the screen after the operation is completed. Export to File: checking this flag means that the generated prepaid cards will be exported into a CSV file after the operation is completed.

The following screenshot present a batch using a predefined card type where part of the fields are automatically set and disabled:

60

Once populating the cadrs details and pressing on the 'Generate' button, the process will be executed and a batch of prepaid cards will be created based on the input parameters. Detailed result page:

61

Card ID: the created card ID which is also the user ID based on the input parameters (batch prefix and start numbers based on card length) Password: created password based on the input parameters (digits only) Card Batch: the cards batch Time Bank: the time bank value MB Bank: the MB bank value Card Price: the card price value Expiration Date: the expiration date if exist. Empty field means no expiration date Group Name: the associated card / user group Action: allows deletion of prepaid cards. Deleted cards will be kept in the historical repository.

Generate Single Prepaid Card

The Generate single prepaid cards page enables to generate a single card using the predefined card types. The following screenshot presents generation of a single card using a predefined card type:

Please note: when there is no card type defined in the system, the list of card types will be empty and the Generate button will be disabled. Once pressing the 'Generate' button, the generation process will be executed and a single prepaid card will be created based on the selected card type. Detailed result page:

62

Manage Prepaid Cards

The manage prepaid cards menu provides the user with full control over the batches and prepaid cards and supports status changes in various cases.

Perform Operation: the field is a combo box which allows several options to be executed at the batch or card level. The following options are available: Activate allows activation of batches / cards. The option is available for batches / cards which were created as non-active.

63

Deactivate - allows deactivation of batches / cards. The option is available for batches / cards which are in active status only. Delete - allows deletion of batches / cards. The option will be available for batches / cards which are in active or deactive status. The deleted cards will be kept in the history repository.

Batch: allows filtering based on a spefic batch. The list presents the available batches in the system. Card ID: allows to operate on a single card. You need to populate the card ID. Business Entity: allows filtering based on a business entity. Card Type: the combo box presents the available card types and allow filtering based on it. For example, when multiple batches are using the same card type. Active: allows filtering based on the card status. Card price: allows filtering based on the card price. Depleted Only: allows filtering based on user metering banks depletion. Create date: allows filtering based on creation date. Available values are: is after, is before or is (equal). Start date: allows filtering based on start date. Expiration date: allows filtering based on expiration date. Available values are: is after, is before or is (equal).

64

The following page presents an example for deactivating cards belonging to a specific batch:

The list of cards that will be impacted by the operation is presented and you should press on the Confirm button to approve the operation to perform. Once pressing on the confirm button an approval massage will be displayed.

65

Prepaid Cards Reports

The prepaid cards reports page allows to to generate detailed or summary reports for your prepaid cards. The following page allows you to define the criteria's for the reports:

Report Type: allows selecting between a summary report and a detailed report. Summary report will present summaries at the batch level Detailed report will present details at the card level.

Batch: allows filtering based on a specific batch. For example: when you want summary report for a single batch you need to choose the batch name from the combo box. Card ID: allows filtering based on a card ID. Business Entity: allows filtering based on a business entity. Card Type: allows filtering based on a card type. Active: allows filtering based on the card status. Card Price: allows filtering based on card price.

66

Depleted Only: allows filtering based on user metering depleted. Create Date: allows filtering based on card creation date. Available values are: is after, is before or is (equal). Start Date: allows filtering based on card start date. Available values are: is after, is before or is (equal). Expiration date: allows filtering based on card expiration date. Available values are: is after, is before or is (equal). Export to File: when marking this flag you will be able to export the report details into a CSV file. Printable Report: when marking this flag you will be able to view the report in an output screen in printable format. Print option will be available for you. Summary report output page:

Batch: the batch name. In case no batch name was used in the batch generation, the field will remain empty. The summary report displays a single line per batch. Business Entity: the business entity the cards were created under. When no business entity was selected in the cards generation, the field will remain empty. Total Cards: total cards in the batch (all statuses). Active cards: total of active cards in the batch. Non Active Cards: total of non active cards in the batch. Total Price: total price for all cards under the selected batch (cards in all statuses). Active Price: total price for all Active cards in the batch.

67

Detailed report output page:

Batch: the batch the prepaid card belongs to. Card ID: the card ID. Price: the price for the single prepaid card. Action: allows marking the prepaid card for deletion. Deleted cards will be kept in the history repository.

68

Card Session Summary

The card session summary page allows you to gather statistic and view detailed or summary reports for prepaid card sessions. The following page allows you to define and set the input parameters for your reports:

Report Type: the report type field is a combo box presenting the available batches in the system. The field allows you to retrieve results for a specific batch. Report Subtype: the field specifies weather to present session lookup report for cards with sessions only, cards without sessions or both. Card ID: the field allows you to specify single card ID and hence present session details for a single user. Date: the from and to fields allows you to filter your sessions based on a range of dates. Business Entity: allows you to filter sessions for a specific business entity. The combo box will present the available business entities in Aradial. Ascending: when marking this flag, the output results will be presented in ascending order. Historical data: when marking this flag, the output results will present also historical data (for deleted prepaid cards).

69

Printable Report: when marking this flag, the output results will be presented in prinable format. Print button will be available on the screen Export to File: when marking this flag, the output results will be exported into a CSV file.

The following screenshot presents an output for cards related to a specific batch which have sessions:

Card ID: the card ID the line is refering to. Clicking on the card ID hyperlink will connect you to the related user page. Total Sessions: the number of total sessions the card has. Group name: the group the card is associuated with. Total Hours: the total hours used for the selected card in all sessions. Total in MB: the total in MB used for the selected card in all sessions. Total out MB: the total out MB used for the selected card in all sessions. From Date: the date of the first session for the selected card. To Date: the date of the last session for the selected card. Action: allows you to drill down for a detailed report for selected card. The following is a detailed report for selected card:

70

71

Chapter

Online Sessions and Graphs

Understanding Aradial Online Sessions and Graphs.

Aradial, by manipulating extensive amounts of data, is able to display, in real time, information about your server such as online users, maximum sessions, logins, online time and more. This information is available through three different pages: Online Sessions This page, available by clicking on the Online Sessions button in the Administrator interface, displays users online information such as the User ID, the originating NAS and port, and online time. Graphs These pages, available by clicking on the Statistics button in the Administrator interface and selecting the required graph, displays information such as maximum sessions, logins, online time and revenues on a daily, weekly, monthly and yearly basis.

Online Sessions
You may configure the way in which the information is displayed:

Poll Every - The Poll Every selection box allows you to set the update time for the Online Sessions page. The default value for Poll Every is Manual, meaning you have to click the Update Now button (described below) in order to update the page. Other values are in seconds, so if you select 10 Seconds, the Online Sessions page will automatically update itself every 10 seconds.

72

Sort By - The Sort By selection box allows you to alter the way in which the information is sorted. The default value for Sort By is NAS Name, meaning all information will be sorted by NAS Name. You may change this value to Online Since, which shows at what time a user connected, Time Online, which shows how long a user has been connected or User ID. Ascending - Use this check box to set the direction in which the information is sorted by - lower to higher value fashion (a-Z, 0-9) or a higher to lower fashion (Z-a, 9-0). Lookup User(s) Use this text box to specify a user name. By using this checkbox, you can narrow down the list of online users, and see if a specific user is currently connected. You may also use in this field the % wildcard for user lookup, for example: looking up the user A% will narrow the online users list to just the User Id that begin with A. Update Now - Click the Update Now button to update all information on the page, sorting it by the values you have set in the Sort By selection box and the Ascending check box. The following are the information fields displayed in the Online Sessions page:

User ID - This is the User ID of the user connected to the system. Click on the User ID in order to access User Edit page, which allows you to view and edit the user information. NAS Name - This is the name of the NAS to which the user is connected to. Click on the NAS Name in order to access the Edit NAS page, which allows you to view and edit the NAS information. NAS Port - This is the port number on the NAS the user connected to. This number is supplied by the NAS. As not all NASes support this feature, this field may be blank.

73

Online Since - This field displays when the user initiated his connection to your network. Time Online - This field displays for how long has the User been connected to your network. Service - This field displays the type of service the granted to the User and optionally, based on the type of the service, which IP address has been assigned to the user, or which IP was he telnted/Rlogin into. Disconnect Available actions for the Online Sessions page are: Passive Disc. By clicking on this link, you are able to passively disconnect a user. A passive disconnect means that the user will be reported to Aradial as disconnected, even if still connected to the NAS. You should use this option only in cases where your NAS has shutdown before issuing an Account-Stop packet to Aradial, thus Aradial still regards the user as online (in which case, the user may not be able to login again).

Active Disconnection By clicking on this option you are sending a disconnection reuest (PoD) to the NAS (please refer to chapter 10). This option provides the ability to terminate a specific session in the NAS. The NAS will terminate the session and will send an Accounting-Stop message to Aradial, which in turn will remove the session from the active session list and also generate a CDR for the session up to the disconnection. Once pressing on the Active link the following confirmation will be displayed:

74

Aradial also provides the ability to deactivate the user after session disconnection. Please note: user deactivation will not disconnect other active sessions for the user but will eliminate the option for new user sessions. User Disconnection - By clicking on this option you are sending a disconnection request for each existing session of a specific user (please refer to chapter 10). This means that all user sessions will be disconnected. The disconnect massage will be sent to the NAS. The NAS will send an Accounting-Stop message for each disconnected session. Aradial in turn will remove the sessions from the active session list and generate CDRs for the sessions up to the disconnection. Once pressing the Active link, the following confirmation will be displayed:

Aradial also provides the ability to deactivate the user after session disconnection.

75

Graphs
You may select which graph to display after clicking on the Statistics button:

Peak Sessions This graph displays the number of maximum concurrent sessions established by your users on a daily, weekly, monthly, and yearly basis. You may choose to generate the graph by All, which displays the overall sessions, regardless of the user groups or NAS of origin. By Group, which displays the amount of sessions established by each user group, or by NAS, which displays the information based on the origin NAS. Logins This graph displays the number of concurrent logins by your users on a daily, weekly, monthly, and yearly basis. You may choose to generate the graph by All, which displays the overall number of logins, regardless of the user groups or NAS of origin. By Group, which displays the amount of logins by each user group, or by NAS, which displays the information based on the origin NAS. Online Time This graph displays the overall amount of time spent online by your users on a daily, weekly, monthly, and yearly basis. You may choose to generate the graph by All, which displays the overall amount of time online, regardless of the user groups, or by Group, which displays the amount of time online used by each user group.

76

Chapter

IP Pool Monitoring Understanding Aradial IP Pool monitoring.

Aradial Admin provides the user with the ability to view the current state of all IP allocations, search by various criterias and view IP statuses and details.

IP Pool monitoring is only available if the Persistent IP Pools or Distributed IP Pools options are enabled. The IP Pool monitoring page can be found in Aradial Home tab by clicking on the 'IP Pool Monitoring' hyper link. The following page is presented:

The following fields / options are available:

77

Pool name allow the user to view IPs for all or a specific IP Pool. This is a drop down list presenting the available IP Pools. By default the value 'ALL' is selected. Start time allow the user to search IPs based on time range by using the 'from' and 'to' fields. The start time relates to the last change in the specific IP (e.g. IP allocated, confirmed or released). IP allow the user to search range of IPs by using the 'from' and 'to' fields. When using an IP range the 'From' field need to have one number below the requested input parameter and the 'To' field need to have one number above the requested parameter. Example: for searching the IP range of: 10.10.10.15 10.10.10.55 the parameter need to be inserted as follows: From = 10.10.10.14, To = 10.10.10.56 State allow the user to search for aspecific IP or a set of IPs based on their status. The field is a drop down list presenting the available statuses. By default the value 'ALL' is selected. The following are the available statuses: Unused unused IP addresses which are in the pool and ready for allocation. Confirmed used IP addresses which were already allocated and in use (by a session) Unconfirmed Allocated IP which are not confirmed yet (allocated during AccessRequest, but not yet confirmed at Accounting-Start) Report type this is a drop down list allowing the user to choose the output format and grouping. The following options are available: Individual IP Each IP will be presented in a separate line.

Summary by Pool and state will present a line per pool and state

78

Summary by Pool - will present a line per pool

Summary by state - will present a line per state (combined for all Pools)

View by clicking on the view button, the results will be displayed based on the search criteria's. Reset Reset the search criteria's to the default ones.

79

IP Pool Repository View

IP Pool repository is presenting the results based on the selected search criteria's. The following is the result page for the default search criteria's:

The following fields / activities are available: Pool name The Pool name. The filed is a hyper link. Pressing on the Pool name will open a page which will allow the user to view the IP Pool details: Pool name, start or end IP details. This is the same page used for editing of IP Pools.

IP The IP address. The filed is a hyper link. Pressing on the IP address will open a page which will allows the user to manually change the IP state:

80

Modifying an IP allocation state is only available if the Distributed IP Pools options is enabled. Start time specify the time (timestamp) for the specific IP of the last change. For example: if the IP was allocated to specific session then the start time will contain the time the IP was allocated). State the current state for the specific IP (e.g. weather the IP is unused, confirmed or unconfirmed).

81

Chapter

Server Configuration
Configuring Aradial Server, Adding NASes and IP Pools.

As explained in Chapter 1, the network environment of Aradial is composed of several elements. This chapter will explain how to configure Aradial to accept requests from one of the network elements, the NAS, and where needed, how to add IP Pools from which the NAS will allocate the user an IP address. This chapter also explains the various settings in the Advanced Configuration page, and how to configure Aradial to connect to an LDAP server.

NAS
NAS, or Network Access Server, is a hardware (e.g. Terminal Servers) or a software (e.g. Microsofts NT RRAS) component, used to connect users to your network. Notice that when adding or changing NASes, Aradial service should be restarted in order to apply the changes. Not doing so may cause unpredictable results. When configuring a new NAS, you should have the IP address of the NAS for reference. You should also choose a password, which will be shared between the NAS and Aradial. This password will be henceforward referenced to as Secret. Notice that your NAS documentation may refer to this password as either: password, shared password, secret password, shared, RADIUS secret, RADIUS password or secret. The secret is used to encrypt the user passwords between Aradial and the NAS and to sign messages between them. For security reasons, make the secret as hard to remember as possible, meaning it should contain at least 8 characters, preferably mixed letters, numbers and special characters such as !@#$%^&.. Prior to adding a new NAS to Aradial, you should configure your NAS to support the RADIUS protocol. Refer to Appendix C and your NAS documentation to see how to do this for your specific NAS make and model. The NAS page may be reached from the Administrator interface by clicking NAS&Proxy > Add/Edit/Lookup Net. Access Server. The Edit page of NAS displays the following information:

82

Name Which displays the name of the NAS. By clicking on the name of the appropriate NAS, you may edit its properties. IP Address The IP address of the NAS. Model The model of the NAS. Location The location of the NAS. Description The description of the NAS. Action Where the possible actions are displayed. For NASes possible actions are: Delete By clicking on this link you may delete the NAS. The Lookup page for NAS displays the following search fields:

Nas Name Use this field to find NASs by their group name. NAS IP Use this field to search for NASs with a matching IP. Model Use this field to find NASs by selecting their model. Location Use this field to search for NASs by their location.

83

The Add page of NAS will allow you to add new NASes, using the following parameters:

Name Use this field to set a name for the NAS. IP - Enter the NAS IP address here. A wrong IP address will inhibit Aradial from receiving any requests from the NAS. You may use wildcards in the IP field, thus accepting requests from multiple NASes with one entry. Notice that when using such a setup, all your NASes should have the same SECRET password. Wildcards supported are: - Matches any sequence of characters (zero or more). For example: an IP of 192.168.50.* will accept requests from any IP number starting with 192.168.50. (i.e. 192.168.50.1 to 192.168.50.254).

If your NAS has multiple IPs, you should use the primary IP address of the interface connected to the same network of your NAS. Dynamic IP if this check box is enabled the NAS authentication would be done using the NAS Name and secret. Secret - This field is for the secret password as set on your NAS. A wrong secret will inhibit the NAS from accessing Aradial. Confirm Secret - Enter the secret again here. This is used to verify you entered the secret correctly.

84

Model - You should select the make and model for your NAS here. In case you are not sure, you may try to use Default, which usually works with all NASes. By using a specific model, you will be able to use special services available only to your specific NAS model. Location - Use this field to enter location information regarding your NAS. Although this information is not essential, it might prove as a good management strategy to store as much information as possible regarding your NAS. Description - Use this field to store a description for your NAS. Although this information is not essential, it might prove as a good management strategy to store as much information as possible about your NAS. Example:
Suppose your company owns a Cisco Access Server with IOS 11.3, pre configured for RADIUS support with qUaNtUm%1911 as secret and primary Ethernet IP 192.168.10.20 at your New-York facilities, which should provide access to your corporate users: Enter Aradial Administrator interface and click on NAS&Proxy>Add Net. Access Server. When the Add NAS page opens, you should enter the information as follows: For the NAS Name field, pick a name that will help you later to identify the NAS, such as CiscoNY. In the IP field, enter the primary IP address of the NAS, in this case 192.168.10.20. In the Secret and Confirm secret fields, enter the secret configured for the NAS. In this scenario, the value is qUaNTuM%1911. In the Model field, select the make and model of your NAS, in this case Cisco_IOS_11.1+ should be selected. If you cannot find your NAS in the list, try to use a generic type. Default will work fine in this scenario. For the Location field, use a string that best describes the location of the NAS, such as New-York Offices. For the Description field, fill in a string that best describes the NAS, such as For Corporate Users.

IP Pools
An IP Pool is a defined range of IP addresses that Aradial may allocate to connected users. IP Pools should be used only if your NAS cannot allocate IP addresses from predefined pools by itself, or if you wish to allocate one (or more) pools to multiple NASes, thus utilizing your IP addresses more efficiently. Notice that when adding or changing IP Pools, Aradial service must be restarted in order to apply the changes. Not doing so may cause unpredictable results. When adding a new IP Pool, you should have the following information for reference: The IP ranges owned by your company. The unused IP addresses you would like to assign to Aradial IP Pools.

85

An IP pool may range from one IP address to an entire Class A (i.e. Subnet 255.0.0.0 - a total of 16,777,216 IP addresses). Aradial reserves for itself three IP Pool names, NAS, USER and DHCP. Do not attempt to create IP Pools with these names. IP Pools page may be reached from the Administrator interface by clicking NAS&Proxy > Add/Edit IP Address Pool. The Edit page of IP Pools displays the following information:

Name Which displays the name of the IP Pool. By clicking on the name of the appropriate IP Pool, you may edit its properties. Start IP The first IP address in the IP Pool. End IP The last IP address in the IP Pool. Action Where the possible actions are displayed. For IP Pools possible actions are: Delete By clicking on this link you may delete the IP Pool, if it is not used by any Group.

86

The Add page of IP Pools will allow you to add new IP Pools, using the following parameters:

IP Pool Name Use this field to set a name for the IP Pool. First IP - Enter the first IP address that should be used by this IP Pool. Last IP Enter the last IP address that should be used by this IP Pool. IP addresses should in no way overlap. If a computer in your company has the same IP address as an address reserved for Aradial, you will experience unpredictable results. Although not required, as Aradial automatically calculates the range from the First IP field to the Last IP field, keep in mind the following IP Class definitions: Class A - from x.0.0.1 to x.254.254.254 Class B - from x.y.0.1 to x.y.254.254 Class C - from x.y.z.1 to x.y.z.254 Example:
Suppose your company uses the IP C Classes 192.168.10.1 and 192.168.11.1 for a total of 512 IP addresses. Also, suppose the IP addresses 192.168.10.1 to 192.168.10.180 are already in use and you wish to reserve 100 IP addresses for Aradial: Enter Aradial Administrator interface and click on Server Configuration>Add IP Pool. When the Add IP Pool page opens, you should enter the information as follows: For the IP Pool Name field, pick a name which will help you later reference the IP Pool, such as C10-11(100 IPs). In the First IP field, enter the first IP address you would like to use, in this case 192.168.10.181. In the Last IP field, enter the last IP address you would like to use, in this case 192.168.11.27.

87

Advanced Server Configuration

Aradial Advanced Configuration allows you to manage several settings for Aradial, such as when are the reports and invoices are generated, which database to use, and more. Advanced Server Configuration page may be reached from the Administrator interface by clicking Configuration. Accounting Log

Internal Database Accounting Log Enable Logging of Accounting Packets to Database check this to allow logging the accounting to the database. Enable Monthly Partitioning of Accounting Database Tables check this to enable Aradial automatic partitioning of accounting tables per month. Note: Aradial assumes that the database tables are pre-created in the database. The tables format: accountinglogYYYY_MM. Enable Logging of Account-Start Packets (if above enabled) enables logging START accounting to the database. By default START packets are not logged to the accounting log. Enable Logging of Account-Interim Packets - The RADIUS server is able to log interim accounting messages into the AccountingLog database table or to text files. The configuration of whether database or text files will be used (or both) is done in the same manner as for Accounting Stop messages.

External File Accounting Log

88

Enable External Accounting Log Use this checkbox to activate logging to a file of the accounting information sent from the NAS to Aradial. Keep Text Accounting Log Open do not close the file after each write. Use buffered mode. External Accounting Log Output Path and File Name Use this field to set the path and file name to which the Accounting Log should be saved. Valid template values are: @Y@ - Use this to insert the year in the path or file name. @M@ - Use this to insert the month in the path or file name. @D@ - Use this to insert the day of the month in the path or file name. @n@ - File sequence number. Use this to enable the creation of multiple files per day. Each successive file for a specific day will have a new sequence number. Multiple files may be created due to maximal number of lines or maximal time rules, which can cause a new file to be created on the same date. Also, a restart of the server will cause a new file to be created. For example, using the template c:\program files\aradial\accounting\@Y@\@M@@D@.log on 3rd August 1998 will create the following report on your hard disk: c:\program files\aradial\accounting\98\08-03.log External Accounting Log Template File Name Use this field to set the path and file name of the template file from which the Accounting Log is generated. The template may include any of the following fields: <HEAD> </HEAD> - The header of the exported file. Anything typed between the <HEAD> and </HEAD> tags will be displayed at the beginning of the exported file. The following fields may be entered after the <HEAD></HEAD> section: @[d]Date@ - outputs the date the session took place on.

89

@Time@ - outputs the time the session took place on. @NASIP@ - outputs the IP address of NAS to which the user logged on. @Acct-Session-Id@ - outputs the session id of the accounting request. @Client-Port-Id@ - outputs the port number of the NAS, through which the user logged on. @Acct-Status-Type@ - outputs a number that indicates whether this Accounting Request marks the beginning of the user service (i.e. Start, returns 1) or the end (i.e. Stop, returns 2). @User-Name@ - outputs the User ID of the user. @Acct-Authentic@ - outputs a number that indicates how the user was authenticated, whether by RADIUS (returns 1), the NAS itself (returns 2) or by another authentication protocol (returns 3). @User-Service-Type@ - outputs the number of the service granted to the user, as designated by the NASCfgDbs file. @Framed-Protocol@ - outputs 1 if the Service Type granted to the user is a framed protocol (e.g. PPP), or 0 if its not (e.g. Telnet). @Framed-Compression@ - outputs the type of compression used when using a framed protocol. @Framed-Address@ - outputs the IP address given to the user when granted a framed protocol service (e.g. PPP). @Login-Service@ - outputs 1 if the Service Type granted to the user is a login service (e.g. Rlogin), or 1 if its not (e.g. PPP). @Login-Host@ - outputs the IP address to which the user is logged on when using a Login Service. @Acct-Delay-Time@ - outputs the time, in seconds, that the NAS has been trying to send the accounting request. @Acct-Session-Time@ - outputs how many seconds the user has received service for. @Acct-Input-Packets@ - outputs how many packets have been received from the port over the course of a service being provided to a Framed User. @Acct-Output-Packets@ - outputs how many packets have been sent to the port in the course of delivering a service to a Framed User. @NAS-Port-Type@ - outputs the type of port the user is using, as designated by the NASCfgDbs/Dictionary file.

90

@Acct-Terminate-Cause@ - outputs a number that describes why a user has disconnected, as designated by the NASCfgDbs/Dictionary file. External Accounting Log Complete File Name - The Final File Format for completed files. Will usually contain a different path then the file name format. Please note: the format must contain the @n@ reference, in order for multiple files on the same date to be possible. The @n@ must also appear in the File Name format. Maximal Time for a File - The maximum time (in seconds) from the creation of the file until finalizing the file. Note that the file is finalized when the first record arrives to it after the max time, it will not finalize when no record arrives. Please note: The Output Path and File Name and Complete File Name options have an option to include all input Radius Attributes, in addition to the date/time references Example: In order to save accounting files to have different directory per "Service-Type": External Accounting Log Output Path and File Name = c:\ProgramFiles\Aradil\Accounting\@ServiceType@\Acct@hh@@mm@@yyyy@@n@ External Accounting Log Complete File Name = c:\ProgramFiles\Aradail\Accounting\Completed\@Service-Type @\Acct@hh@@mm@@yyyy@@n@ Maximal Number of Lines in a File = 2000

Interim Accounting

This features allows Aradial to monitor the users activity within a session. Aradial will receive Interim accounting from the NAS and will save it in the Inerim Table. If a STOP session is not received after Time to Consider Session as Lost a STOP session would be generated based on the last recorded session attribures held in the Interim table.

91

This section is used to configure the Inerim Cleaner Service. The interim cleaner works when the router is sending Interim Updates in the accounting. The service is disabled by default. To eable it: a. Use Windows services to automatic restart it. b. Enable the feature in the Metering.tcl. Check for Lost Sessions Frequency the frequency that the inerim cleaner will check the database for sessions that were not reporting. Time to Consider Session as Lost the time gap from the last reported interim that the session is considered lost. For every lost session, the interim cleaner will take an action as defined in the Stop Type configuration. Stop Type the action the interim cleaner will take for lost sessions: Passive Disconnect A passive disconnect operation will be applied to the lost session. This means that the session will be removed from the active session list. Account Stop An Account Stop message will be simulated for the lost session, with tme usage information according to the last Interim message received for the session. This means that the session will be treated as if an Account Stop was received for it with the same details as last Interim message.

92

Authentication

Administrator Login - Use this field to change the name required to enter Aradial Administrator interface. Administrator Password - Use this field to change the password required to enter Aradial Administrator interface. Make this password as secure as possible, meaning it should contain at least 8 characters, preferably mixed letters, numbers and special characters such as !@#$%^&. Administrator Confirm Password - Use this field to confirm the password change. Aradial Admin Realm The name of your Domain, used when authenticating OS users. Enable SecurID Authentication Use this checkbox in order to enable SecurID token based authentication using ACE\Server from Security Dynamics. For further information on using ACE\Server with Aradial, please refer to Appendix G. SecurId Auto Add on 1st Connect Group when a user loging from secureID automaticy add it to the group. Perform Password Authentication enable/ disable password authentication system wide.

93

Chillispot Integration / UAM secret special serect used by chillispot walled garden. This secret should be the same as configured in chillispot for Aradial portal. Database

Database Connect String - Use this field to change the connect string to Aradial database. The connection string format is DatabaseName;User;Password. If no user name and password are needed, you may omit them, and their semi-colon (;) delimiter. Notice that although Aradial ships with a non-secure database (i.e. no user Id/password is required), it is important to add the user Id and password to both the database and the Database Connect String for security reasons. Primary User Database Use this selection box to set the first user database against which the users will be checked. Available options are: ARADIAL Aradial proprietary database. OS Windows and Active Direcroty user database. LDAP LDAP directory server database. SecureID No longer supported. By using ARADIAL you will perform the authentication and accounting procedure against Aradial user database.

94

By using OS you will perform the authentication against the Windows SAM and Active Direcroty user database. You will need to create a Group under Aradial that matches the primary user group in NT. Once a group or groups are created on both Aradial and Windows, Aradial will be able to authenticate requests from users existing in the Windows user database, and permit them to access the network. Refer to Windows documentation to learn how to set a users primary group. By using LDAP you will perform the authentication against the LDAP server as configured under Server Configuration>LDAP Configuration. You will need to create a Group under Aradial that matches the group deriving from the LDAP server from Group Attribute Name as set in Server Configuration>LDAP Configuration. Secondary User Database Use this selection box to set the second database against which the users will be checked, in case they were not found in the Primary User Database. Available options are: <None> -No secondary database. ARADIAL Aradial proprietary database. OS Windows and Active Direcroty user database. LDAP LDAP directory server database. Maximal Server Open Connections -Use this field to set the maximum number of database connections allowed at once. The default value is 4. If you require a higher number of concurrent transactions to be processed, make sure you have the right hardware requirements. The amount of connections must be bigger to the total amount of threads (authorization and acctounting) plus 2. Maximal Admin Open Connections - Use this field to set the maximum number of database connections allowed at once. The default value is 4. If you require a higher number of concurrent transactions to be processed, make sure you have the right hardware requirements. Server Connection Timeout (-1 = disabled): a timeout for database operations on the RADIUS server and Interim Cleaner process (in seconds). This parameter can be used to cancel dead locked database operations. Admin Connection Timeout (-1 = disabled): a timeout for database operations on the Admin and WSC (in seconds)

95

E-Mail

SMTP Host - Use this field to set/change the address or domain name of your mail server (SMTP). Notice you must configure your SMTP host to accept relays from the machine running Aradial. Not doing so will not allow Aradial to send emails to your users and yourself. Refer to your mail server documentation for information on how to allow email relay. Default Domain Name - Use this field to set/change the default domain name from which and to which Email should be sent. If any of your users have an empty Email Address field, the Local Domain Name will be used as their Email domain. For example, if your domain is acme.com and the User JohnDoe does not have an Email address, Aradial will attempt to send any Email for JohnDoe to JohnDoe@acme.com. Admin E-Mail - the administrator email address. LDAP Integration Please review LDAP section.

96

Periodic Actions

Session Garbage Collection Remove Old Sessions Every -In some cases, users disconnect from your network erroneously. In such cases the NAS may not notify Aradial to stop the accounting process, meaning the user will remain registered as on line. This is called an Old Session. Use this field to set, in minutes, how often Aradial should check for such sessions. The default is 720 (12 hours). Session is Considered Old After - Use this field to set, in minutes, the period of time after which a session is considered to be old, thus terminated. The default is 1440 (24 hours). IP Address Garbage Collection Remove Non-Confirmed IPs Every -In some cases, users may be authenticated but because of an abrupt disconnection the NAS will not start the accounting process. Because the user receives an IP address as soon as he's authenticated, when using Aradial IP Pools, the IP address is 'wasted' in such a case, because the user isn't actually connected. This is called an Old IP. Use this field to set, in minutes, how often Aradial should check for such wasted IP addresses. IP is Considered Non-Confirmed After -Use this field to set, in minutes, the period of time after which an IP is considered to be old, thus freed. This should be set to the expected timeout between the the authentication request (when Aradial allocated an IP for the user) and the Account Start message send by the NAS. The default is 5. Statistics Collection Enable Statistics enable/disable the statistic written to the database.

97

Generate Statistics Every - Use this field to set, in minutes, in what frequency should the sessions statistics be updated in Aradial database. The lower the number, the more accurate the statistics are generated, but more stress is generated on the database. The default value is 5.

98

Security

Password Lockout Policy Enable Password Lockout Use this checkbox to activate the password lockout feature. This feature will enable you to lock a user out of the network if he has entered a wrong password too many times. Lockout After Use this field to set after how many wrong password attempts the user should be locked out. Lockout duration Use this field to set for how long, in minutes, a user should be locked out. Reset Count after Use this field to set after how much time, in minutes, the lockout counter is reset (i.e. after how much time is the retry counter is reset). Password Expiration Policy Enable Password Expiration the users must reenter a new password and change it each period. Password Expires Every the users must reenter a new password and change it each period.

99

Notify of Password Expiration this settings is for a scrupt to send a notification. Password Strength Password Case Sensitive Use this checkbox to set if user password are case sensitive. If this check box is unchecked, the user password will be accepted regardless of the letter cases (if it is correct). For example, if this check box is unchecked, a user with a password of HelloWorld, will be able to access even if he entered his password as hELLOwORLD, helloWORLD or HeLlOwOrLd. Notice that only Plain passwords (see Password Encryption Method below) may be defined as case insensitive. Warn Password Score Use this field to specify a warn level password score. A password with a score higher than this value, yet lower than the Minimum Password Score will require you to use the Force Password check box in the user. Minimum Password Score Use this field to specify a minimum acceptable password score. The password score is calculated when a new password is set for a user. A higher Minimum Password Score will force you to use more secure passwords, yet harder to remember. The password score is calculated in the following way: +100 for each letter in the password, e.g. hello, which has five letters scores +500 -30 for each repeated letter, e.g. refresh, which has both r and e twice scores 120 -50 for each letter in a word that matches a word in the dictionary, e.g. cat scores 150 -40 for each repeated consecutive letter, e.g. hello, with two consecutive ls scores 40 -50 for letter series, e.g. ace, in which a is two letters from c which is, again, two letters from e scores -150. -70 for each following letter, e.g. abc scores 210. -50 for each following letter in steps of over one letter, e.g. azbzcz scores 150. -50 for each matching letter in User Id and User Password, e.g. User hello password hello scores 250. A value of 0 (zero) will disable this feature, thus allow you to use any password (not advisable). Password Storage Encryption Password Encryption Method Use this selection box to set the type of encryption, if any, which should be applied to the password entries within the user database: Plain The password is not encrypted. Aradial appends a space to the beginning of the password, in order to know the password is not encrypted.

100

Sha The password is encrypted using the Sha encryption algorithm. Aradial appends an S to the beginning of the password, in order to know it is encrypted this way. Crypt The password is encrypted using the UNIX Crypt encryption method. Aradial appends a C to the beginning of the password, in order to know it is encrypted this way. NAS Encrypt Secrets Use this field to tell Aradial the NAS Secret passwords should not be stored as plain text in the database, and should be encrypted. Session Caching

Enable Session Caching Use this checkbox to activate Session Caching. Session Caching is a feature used to find and eliminate duplicate user sessions, and should usually set as active. You should not change this setting, unless consulting with/instructed by Aradials support. Cached Session Expiration Use this field to set, in minutes, the amount of time a session is cached. A higher number is more memory consuming (about 30 bytes for each additional session kept in memory per NAS). You should not change this setting, unless consulting with/instructed by Aradials support. Maximal Cached Sessions Use this field to set the number of cached sessions. A higher number is more memory consuming (about 30 bytes for each additional session kept in memory per NAS). You should not change this setting, unless consulting with/instructed by Aradials support.

101

Miscellaneous

Service Provider Name - You can change this field so a different Organization Name is shown at the Summary page. Date format - You can choose the date format out of the available formats. Aradial will display the dates in the various pages based on the selected definition. Treat 1 Kbyte as Choose either to treat 1 KB with the real 1024 bytes value or use the rounded value of 1000 bytes. The value will be used by Aradial in the session calculations and free volume. Use European Floating Convention wheather to use european floating conversion (e.g. comma separator or dot separator). SYSLOG Host Use this field to enter the IP address of a machine running a SYSLOG Server. The SYSLOG Server will receive from Aradial any log data that has been set to be delivered to the SYSLOG host. SYSLOG Admin Facility SYSLOG level SYSLOG Server Facility SYSLOG level Domain name The windows domain name (to use for emails sending)

102

Aradial RADIUS Server Path - Use this field to change the path to Aradial executables and data. Persistent IP Pools - If you mark this checkbox, Aradial will maintain all IP addresses currently assigned to users in the database. If you stop the Aradial service and then restart it, all the information regarding which IP address is assigned will be retained. Distributed IP Pool Wheather to use distributed IP Pools from multi Aradial environments. If this mode is enabled, Aradial will use the database to store and allocate IPs. Enable Active Sessions List Enable / disable active sessions keeping. Distributed Active Sessions working from multi Aradial server environments. When the option is un marked, when the server is loaded the active sessions will be deleted. Enable Multithreading Indication wheather the server is working in multithreading mode. Enable Extended RADIUS Attributes - wheather to activate the extended RADIUS attribute fields in the user & group levels. Notice that using the IP Pools Persistent has two down sides: If the Aradial service is stopped for a substantial period of time after the IPs have been assigned, you might be wasting IP addresses, as the users may already have disconnected. Also, this option slows down Aradial response time. Metering

103

DataBase Type: determine the data base type Aradial is working with. Default value is MS Access data base. Other supported data bases are: MS sql server, MySql and Oracle. Note that this configuration item is relevant only for the Metering functionality. Enable Interin Cleaning: determine if interim cleaning is enabled or not. When interim cleaning is enabled, interim accounting messages are used to perform accurate active session cleanup. When an active session has not received an interim accounting update for a configurable time, it is removed from the active sessions table and an optionally an accounting log entry is generated for it. Enable Interim Charging: determine whether interm charging is enabled or not. When interim charging is enabled, the metering banks are updated on every interim accounting message. This is usefull in case there are multiple prepaid sessions for the same user, as the meterin banks are always up to date (up to the last interim update). When interim charging is enabled, interim cleaning is also enabled automatically. Upload Download Ratio: specify the ratio between the upload and download volume. For example: 0.3 means that 30% out of the total received volume will be considered as upload volume and 70% will be considered as download volume. Number of Interpeters: specify the number of TCL engines defined. The number of interpeters should match the threads number in the rad_algs configuration file.

104

Server Control

The Server Control page can be found under the advanced configuration

Server Control.

Aradial provides the ability to referesh a subset of the reference data on the fly without server restart . Multi RADIUS server enhancement is providing the ability of the Admin to dynamically update multiple RADIUS servers when updating one of the following reference entities: a. NAS b. Group c. Realm Group d. Realm e. Target The following sections are available in the GUI interface: Server 1 Control: Server notify port The port for the RADIUS server notification socket, which is used for sending refresh notification commands.

105

Server notify secret The password for the server to be updated (to authenticate the secured connection) Confirm server notify secret Password confirmation. Server notify timeout Timeout for server notification. The timeout is in second unit. Second section (Server 2 control) is with the same definitions for the second RADIUS instance. Radius Server

Control Port A UDP control port used for communicating PoD requests to the RADIUS server. Default is 1814. Control Threads The number of server threads to use for control requests. Default is 1.

106

LDAP
The Lightweight Directory Access Protocol (LDAP) is a client-server protocol for accessing online directory services. For a good overview of LDAP-based directory service, we suggest you read RFC-1777 available at http://www.umich.edu/~dirsvcs/ldap/doc/rfc/rfc1777.txt. Aradial allows to authenticate users from your LDAP server, if you have one. To allow Aradial to receive information from your LDAP server, you will need to perform two tasks: Configure Aradial with your LDAP server parameters. Create parallel user accounts under Aradial and the LDAP or set the LDAP server as your primary or secondary user database (described in the Advanced Configuration section). Aradial LDAP mapping schema can be found under Hts/Messages/ LDAPUserScheme.tpl. It maps the user attributes to the LDAP attributes. Configuring LDAP server parameters The LDAP Configuration page may be reached from the Administrator interface by clicking Server Configuration > LDAP Configuration. The LDAP Configuration page will allow you to define your LDAP settings, thus allowing Aradial to talk with your LDAP server, using the following parameters

Enable LDAP Check this check box to enable LDAP.

107

LDAP Host Enter the IP address or domain name of your LDAP server. LDAP Port - Enter the UDP port of your LDAP server, this is usually 389. Number of Connections - Enter the number of LDAP connections that the RADIUS server will use with the LDAP server. This number should reflect the number of defined authentication threads. A higher number will enable the RADIUS server to scale up. Bind DN Enter the DN (user name) required to login into and receive information from the LDAP server. Bind Password Enter the password required to login into the LDAP server. Bind Confirm Password Re-enter the password required to login into the LDAP server. Search Base DN Enter the Distinguished Name (DN) of the entry on which to base user lookup. The mapping of LDAP schema attributes to Aradial user attributes are defined in a template file (HTS\Messages\LDAPUserScheme.tpl) and can be modifed to suite your LDAP schema. After the LDAP configuration was applied to Aradial, you may start authenticating users that are stored in your LDAP server in two ways: Create parallel user accounts under Aradial do this simply by adding users, and specifying their password as LDAP. Set the LDAP server as primary/secondary user database this may be done by selecting LDAP in the Advanced Configuration page.

108

Data Management
The Data Management section includes a number of utilities to help you manage your database and configure logging options for all Aradial components. The Data Management section has been mentioned earlier in this chapter, as two of its utilities are related to adding new users to Aradial by importing them from either text files or Windows. Additional functionality in the Data Management section includes: Logging Configuration The ability to configure extensive logging of each of Aradial components and their database connection (ODBC). Action Log Aradial logs all adding, updating and deleting functions performed via the web interfaces. Using this function, you can view the changes made to the database when such operations took place. DB Operations In order to maintain a fast and reliable database, Aradial permits you, through this function, to purge and reset any non-essential data. Batch Management Aradial permits you, using proprietary text files, to administer all the data in the user database. After using the Export function, described below, to export user information to a text file, you can then alter it using any text file editor, and upload the altered information using the Batch Management utility. User Export Aradial allows you to export all user information to a template driven text file, so you can use that exported information in way you need (e.g. import it to another database, etc.). File User Import and OS User Import please review sesction under Users.

109

Logging Configuration
Aradial can extensively log to text files all operation it conducts, from server start to ODBC errors. The Log Configuration page permits you to set the logging options for each Aradial component, such as starting and stopping the logging operation, erasing and time-stamping the resulting log files, and the physical location of the log files. The Logging Configuration page is accessible via the Administrator interface by clicking Data Management > Logging Configuration. The page displays all log-able component:

Server The main Aradial component, in charge of handling the RADIUS packets, authenticating and authorizing the users, and perform accounting functions for the users. Administrator Interface The component through which you, as the administrator, manage all aspects of Aradial. For each of the above components, you may log the following events: Severe Severe errors, which may cause problems to the functionality of Aradial.

110

Warning Warning of non-critical errors, such error may usually be disregarded, unless they happen continuously. Info Information regarding most steps the component is doing. Usually, you should not turn on this on, as it generates excessive information, and tends to slow down the logged component. Debug Logs everything every single step the component is doing. Use this only in desperate situations, as this generates a great amount of information, and slows down the logged component considerably. ODBC Severe Severe ODBC errors, which may cause data faults in the database, or information not to be written to the database. ODBC Warning Warning of non-critical ODBC errors, such error may usually be disregarded, unless they happen continuously. ODBC Info Information regarding most database operations the component is doing. Usually, you should not turn on this on, as it generates excessive information, and tends to slow down the logged component. The Server component is able to log more events: Statistics This logs the time, in milliseconds, each RADIUS event takes until fully processed. RADIUS Errors This logs RADIUS related errors such as user rejections and unknown RADIUS attributes that are not handled by Aradial. RADIUS Data - This will log all RADIUS dialogs between Aradial and the NAS. RADIUS Dump - This will log all RADIUS dialogs between Aradial and the NAS in a binary mode to view the packaget. TCL Debug Logs the TCL commands that are working in flow of the TCL Handler algorithm. The TCL have its own Log configuration at: HKEY_LOCAL_MACHINE\SOFTWARE\Aradial\TclAlgs Activity Log records all the incoming packets to the RADIUS in CSV format. Please review a seprate manual on this funcitonlity: ActivityLog.pdf Performane Log logs the performance of the RADIUS. The information is held in memory and also used for SNMP reporting.
07/30/2007 01:29:05 #14 15A8 DB Connections Stats: Db-Up=Yes, Num-Connections=24, Unused=24, Failed=0 07/30/2007 01:29:05 #14 15A8 ------------------------------ Performance Statistics -----------------------------Stat: 5 Seconds, From-Server-Start: 0:05:51:28 (x/y[/z] : x=from last update, y=from init, z=per second) Stat: Total: Requests: 0/5/0, Dropped: 0/0/0, Duplicates: 0/0/0 Stat: Auth : Requests: 0/3/0, Dropped: 0/0/0, Duplicates: 0/0/0, Invalid:0/0, Malformed: 0/0, BadAuth:0/0 Stat: Auth : Accepts: 0/1, Rejects: 0/0, Challenges: 0/0, UnknownType:0/2

111

Stat: Acct : Requests: 0/2/0, Dropped: 0/0/0, Duplicates: 0/0/0, Invalid:0/0, Malformed: 0/0, BadAuth:0/0 Stat: Acct : Stat: End. Responses: 0/2, Not Recorded:0/0, UnknownType:2/0

IP Pools Log In case of using Aradial IP Pool for dynamic IP allocation, this log will record the allocated, confirmed and released IP in a dedicated log file with the relevant information.
06/25/2008 10:37:51 #15 1698 IP Pools: Allocated: 10.0.0.1, Pool = ip1 06/25/2008 10:37:51 #15 1544 IP Pools: Confirmed: 10.0.0.1, Pool = ip1 06/25/2008 10:38:21 #15 179C IP Pools: Released : 10.0.0.1, Pool = ip1 06/25/2008 10:44:28 #15 17CC IP Pools: Allocated: 10.0.0.1, Pool = ip1 06/25/2008 10:44:28 #15 01B8 IP Pools: Allocated: 10.0.0.2, Pool = ip1 06/25/2008 10:44:29 #15 12C4 IP Pools: Allocated: 10.0.0.3, Pool = ip1

When selecting one of the components to edit its logging options, you will be presented with the following options:

112

Enable Turn on/off the logging for the specified component. Erase Turn on/off erasure of the log file when the component is started. When turned on, the log file will be immediately erased when the component is started. Usually, you should turn this to off. Close Turn on/off closing the log file after each log write. This permits you to view the log file while it is being written. Usually, you should turn on this option, as unless you do so, you will not be able to view the log until you stop the component. Time Stamp Turn on/off time-stamping of each log write. When turned on, this will write to the log the date and time the logged event took place. Usually, you should turn this option to on. Thread Turn on/off presenting the handling server tread of each log write. Log to SYSLOG Turn on/off delivery of log to a SYSLOG host, as defined in the Advanced Configuration Page. Log to Windows Event Viewer (NT/XP/2K+) Turn on/off delivery of log to the NT Event Log. Rename on Switch File when enabled, when switching a log file (due to max size restriction), the old log file is renamed and a new log file is created with the undecorated name (the name without the suffix). Date Time in File Name when creating a new log file, the file name contains the date and time of the log creation, otherwise the file name contains a suffix with the serial number of the file. Log Counter when enabled, every log event has a sequence number that can be used for corrleating between different log files. File Name Specify the path and filename for the log file. If the path and the filename do not exist, they will be automatically created. Valid file names include the Windows\DOS standard naming convention of drive:\path\filename (e.g. c:\program files\Aradial\logs\server.log) and UNC - \\machine\path\filename (e.g. \\PDC\c\aradial\logs\server.log). Notice that due to the fact logs usually generate large amounts of data, especially when logging debug and info events, Aradial has a safety mechanism to stop writing to the log file when the hard disk is full. Maximum file size (KB) Configure the logs to change when reaching MAXSIZE of KB. When using this feature the View of logs in Aradial will only show the first Logs file and should not be used. A typical log file, with the settings of Enable, Close, and Time Stamp would look like this: 10/28/2007 12:47:56 ARADIAL Admin Started

113

10/28/2007 10/28/2007 10/28/2007 10/28/2007 10/28/2007

12:47:56 12:47:57 12:47:57 12:47:57 12:48:05

Generating : Generating : Generating : Generating : Con=ARDServ,

UserFrame.hts template file. usercon.hts template file. Title.hts template file. UserQry.hts template file. MaxConc=3.

You can view the log files using any standard text editor, such as Windows Notepad, yet notice that due to the size log files tend to grow to, Notepad may reject the file. You can get many freeware or shareware text editors, that do not have a file size limitation, in the Internet.

114

Action Log
Aradial keeps a record of all database related events in your system, and records them to the Action Log. You may view this log. The Action Log page may be reached from the Administrator interface by clicking Data Management > Action Log. The Query page of Action Log displays the following search fields:

Actions Select the type of operations you are looking for: Add All actions in which a record is added to the database will be displayed. Add actions include operations such as adding a Group or adding a User. Update All actions in which an existing record is updated in the database will be displayed. Update actions include operations such as changing a Group or changing User information. Delete All actions in which a record is deleted from the database will be displayed. Delete actions include operations such as deleting a Group or deleting a User. User ID Enter the User ID who performed the action. Notice that when users sign up via the New User interface, the User ID is anonymous. Table Name Enter the name of the database table on which the action took place. For example, when deleting a user, the database table changed is Users.

115

Record ID Enter the name of the record that was operated on. For example, the Record ID when changing a User entry is the Users User ID. From Date Enter the date from which actions should be searched for. To Date Enter the date until which actions should be search for. If any actions corresponding to your query were found, the following will be displayed in the Hit page: Time The date and time in which the action took place. User ID The User ID who performed the action. Notice that anonymous entries are for users signing up through the New User Interface. Action The type of action that was performed. Either Add, Update or Delete. Table Name The database table that was altered when the action took place. Record ID - The name of the record that was operated on. User ExportAradial permits you to export all user information from the user database. The User Export feature is very useful for three distinct purposes: Backup although not as reliable and full as a database backup (as it exports only user information), this is a fast and easy way to keep all the user information stored safely. The upside of using the Export Users as a backup method is the fact that all user information is stored in a plain text file, which is both small and can be compressed very well on a single standard 1.44Mb diskette you can store approximately 1000 exported users (considering each user has all fields field with maximum information) uncompressed, and approximately 3000 exported users compressed, using a mediocre compression tool. The downside is, of course, that the information exported to the text file is very insecure, and can be read by anyone. Make sure the exported file is always stored in a safe place! Offline User Database you may want to use the information in the Aradial user database as a source for information for other programs Export Users permits you to do so, as it exports the information into a very configurable plain text file, thus, any program that can import information from a text file, can use the exported information. Batch Administration via the Batch Administration tool, explained later, you can use the exported files to make batch changes on any number of users. The User Export page may be reached from the Administrator interface by clicking Data Management > User Export. The Query page of Export Users displays the following fields:

116

File Name to Export The path and file name on the machine running Aradial (or other machines, when using UNC) to which the exported data should go into. User ID Use this field to specify the User ID of the user to be exported. First Name Use this field to export users by their first name. Last Name Use this field to export users by their last name.

Notice that if no User ID, First Name or Last Name are specified, all users in the database will be exported.

Notice that if exporting a large quantity of users, especially from a slow database such as MS Access, your web browser may timeout will awaiting for response from Aradial. If it does, you need not worry, as the export process will continue until fully completed, and you may continue to work. The Export Users tool allows you to define which fields from the user database are exported to the text file. To define these fields, edit the UserExport.tpl found in the root directory of Aradial using any text editor, such as Notepad. The file may include the following fields:
Table Name
@Users @Users @Users @Users @Users

Column
UserIndex UserID Password GroupName UserService

Format and Description

Number. The index number of the user in the database. String. The User ID. String. The user password. Notice that this may be encrypted, thus unreadable by external programs.

@[I]Users @Users @[d]Users @Users

UserIP FilterName UserExpiryDate UserActive

String. The name of the Group the user is in. Number. The number represents the service this user is granted, in case of an override of the Group settings. The meaning of this number may be found in the NAS Configuration Database, described in Appendix D. Number. This is the override for the Group Remote IP parameter. String. The name of the filter applied to this user, as an override to the Group Filter value. Date. The expiration date of the user Bit. This will return 1 or 1 if the user is active, or 0 if the user is not. Notice

117

@Users @Users @[d]db_Users

CallBackNumber CallerID StartDate

@Users @Users @Users @Users @Users @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @[d]UserDetails

TimeBank KBBank UseTimeBank UseKBBank BusinessEntityIndex UserIndex FirstName LastName Company Address1 Address2 City State Country Zip PhoneHome PhoneWork PhoneFax Email CreateDate

@[d]db_UserDetails @UserDetails @UserDetails @UserDetails @[d]UserDetails @UserDetails @UserDetails @UserDetails @UserDetails @UserDetails

LastModify LastOnlineTime LastTotalTime TotalOnlineTime LastTotalOnlineUpdate CustomInfo1 CustomInfo2 CustomInfo3 CustomInfo4 Comments

that the number returned for a true value (Active) is subject to the database interpretation of true (either 1 or 1). String. The number to call if callback is enabled on your system. String. The CallerID template the user must match to login. Date. The date in which the user account was (or will be) activated. Notice that dates may have special parameters, which are described later in this section. Decimal. Decimal. Number. Number. Number. Number. The index of the user in the database. String. The first name of the user. String. The last name of the user. String. The company name of the user. String. The first address line. String. The second address line. String. The user city. String. The user state. String. The user country. String. The user Zip code. String. The user home phone number. String. The user work phone number. String. The user fax number. String. The user Email address. Date. The user creation date (i.e. the date in which the user was added to your database). Notice that dates may have special parameters, which are described later in this section. Date. The date in which the user account was last modified. Number. In seconds, the amount of time the user spent online. Number. In seconds, the total online time of the entire last billing period. Number. In seconds, the total amount of online time the user has spent on the system, from when he was initially added to your system. Date. The date on which the TotalOnlineTime column has been updated. String. Custom information field 1 value. String. Custom information field 2 value. String. Custom information field 3 value. String. Custom information field 4 value. String. The comments entry.

Notice that although very similar to the parameters specified in Event Scripting, the parameters for Export Users is not the same. Namely, there is no need to specify db_ before each field. Export Users Special Variable Denominators The following denominators, or tags, may be used to format Export Users variables: @[D{xyzabc}]TableName.Column@ - [D] is used for special date formatting, where x,y and z are used to define the date, month and year, and a, b and c are used to define hours, minutes, and seconds, in any order. Possible values for x, y, z, a, b and c in no specific order (you may change the order and set which field, seconds, minutes, hours, date, month and year is displayed first, second, third and so on): s Seconds, with no leading zeros. ss Seconds, with a leading zero (when needed).

118

m Minutes, with no leading zeros. mm Minutes, with a leading zero (when needed). h Hours, with no leading zeros. hh Hours, with a leading zero (when needed). D The date, with no leading zeros. DD The date, with a leading zero (when needed). M The month number, with no leading zeros. MM The month number, with a leading zero (when needed) MMM{MMM} The first three letters of the month name. Any added ms will result in an additional letter of the month name. Y - The year, with no leading zeros. YY The year, with leading zeros (when needed, after the year 2000) YYY{Y} The last three numbers of the year. Any additional Ys will result in an additional number of the year. You may use any character as a separator, except for the reserved s, m, h, D, M, and Y. Notice that all date tags must be upper case letters while time tags must be lower case. Some examples of date tagging: @[D]TableName.Column@ - This is the most basic entry. The output is MM/DD/YY (e.g. February 22nd, 1999 is 02/22/99) @[DMMM-DD-YYYY hh:mm:ss]TableName.Column@ for 10:20.30 AM, August 7th, 2001 is Aug-07-2001 10:20:30. @[length]TableName.Column@ - you may use any number to enforce a maximum length on the outcome value. For example, @[4] TableName.Column@ will truncate the output to four characters. @[C]TableName.Column@ - you may use the [C] tag to force conversion of control characters as follows: Carriage Return is converted to \r. New Line is converted to \n. Tab is converted to \t.

119

Backspace is converted to \b. Vertical Tab is converted to \v. Bell is converted to \a. Backslash (\) is converted to \\. @[I]TableName.Column@ - you may use the [I] tag to convert the IP addresses that are stored in the database in long integer format to the standard octet format (i.e. aaa.bbb.ccc.ddd).

120

Batch Administration
Aradial permits you, by using specially formatted text files, to perform batch administration of your user database. The Batch Administration feature allows to perform the following operations: ADD-USER Use this operation to add users to your user database. MODIFY-USER Use this operation to batch modify existing user in your database. DELETE-USER Use this operation to batch delete users from the user database. The Batch Administration accepts all the fields supported by Export Users, in order to allow you a simple three-step procedure to batch administer your users: Step 1: Export existing users using Export Users to a file. Step 2: Modify the exported file to reflect the changes you require. Step 3: Use the Batch Administration feature to import the exported and modified file back into your database, thus applying the changes to your user database. The Batch Administration requires the file to be in the following format: The first line must be: UserExport: The second line tells Batch Administration which fields are being imported and in what format: All database fields must be enclosed between @ signs. All string fields must not be enclosed in signs, and must be suffixed with the [S] tag. All IP address fields must be suffixed with the [I] tag. The UserDetails.Comments field must be suffixed with the [C] tag. All date fields must be suffixed with the [D{xyzabc}] tag, where {xyzabc} is the format of the time/date. Please refer to the previous section in this manual, Error! Reference source not found., to understand each of these tags. Following is a partial list of all importable fields and their respective identifiers:
@[C]UserDetails.Comments@ @[S]AccountTypes.AccountName@ @[S]UserDetails.Address1@ @[S]UserDetails.Address2@ @[S]UserDetails.City@ @[S]UserDetails.Company@ @[S]UserDetails.Country@ @[S]UserDetails.CustomInfo1@ String. Notice the [C] tag. String. String. String. String. String. String. String.

121

@[S]UserDetails.CustomInfo2@ @[S]UserDetails.CustomInfo3@ @[S]UserDetails.CustomInfo4@ @[S]UserDetails.Email@ @[S]UserDetails.FirstName@ @[S]UserDetails.LastName@ @[S]UserDetails.PhoneFax@ @[S]UserDetails.PhoneHome@ @[S]UserDetails.PhoneWork@ @[S]UserDetails.State@ @[S]UserDetails.Zip@ @[S]Users.CallBackNumber@ @[S]Users.CallerId@ @[S]Users.FilterName@ @[S]Users.GroupName@ @[S]Users.Password@ @[S]Users.UserId@ @[d]UserDetails.CreateDate@ @[d]UserDetails.LastModify@ @[d]Users.StartDate@ @[d]Users.UserExpiryDate@ @[I]Users.UserIP@ @Users.UserActive@ @Users.UserIndex@ @Users.UserService@ @Users.TimeBank@ @Users.KBBank@ @Users.UseTimeBank@ @Users.UseKBBank@ @Users.BusinessEntityIndex@

String. String. String. String. String. String. String. String. String. String. String. String. String. String. String. String. String. Date. Notice the [D] tag. Date. Notice the [D] tag. Date. Notice the [D] tag. Date. Notice the [D] tag. IP Address. Notice the [I] tag. Number. Number. Number. Number. Number. Number. Number. Number.

Adding Users: To add any number of users use the ADD-USER command, as following:
UserExport: @[descriptor]Table.Column1@separator @[descriptor]Table.Column..n@ (this line determines the format of the following lines) ADD-USER [descriptor] value for Table.Column1 separator [descriptor] value for Table.Column..n ADD-USER [descriptor] value for Table.Column1 separator [descriptor] value for Table.Column..n ADD-USER [descriptor] value for Table.Column1 separator [descriptor] value for Table.Column..n

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

122

For example, suppose you wish to add the following to the Corporate Group:
User ID JohnD Jane LexLu Password J1234 u2 Superman First Name John Jane Lex Last Name Doe Doe Luther Address 1 42nd Street 5th Ave State NY NY LA City New York New York California Phone 555-0123 555-0921 Fax 555-9022

UserExport: @Users.UserId@,@[S]Users.Password@,@[S]Users.GroupName@,@[S]UserDetails.FirstName@,@[S]UserDetails .LastName@,@[S]UserDetails.Address1@,@[S]UserDetails.State@,@[S]UserDetails.City@,@[S]UserDetails.Phone Home@,@[S]UserDetails.PhoneFax@,@UserDetails.NewUser@,@Users.UserActive@ ADD-USER JohnD,J1234,Corporate,John,Doe,42nd Street,NY,New York,555-0123,,1,0 ADD-USER Jane,u2,Corporate,Jane,Doe,5th Ave,NY,New York,555-0921,555-9022,1,0 ADD-USER LexLu,Superman,Corporate,Lex,Luther,,LA,California,,,1,0

Notice how in this example most fields are strings, thus all are padded with parenthesis (). In most cases you will deal only with the string fields, as these are more user information oriented, and you will leave all other parameters to Aradial to set. The NewUser and UserActive are used to tag the user as pending approval, and once you approve that user, all other settings will slide into place. Also, notice how even empty fields must be placed within the batch string.

Notice that when using the ADD-USER command, you must specify the Users.UserId field. If this field is not specified, Aradial will not be able to add users. Modifying Users: To modify any number of users use the MODIFY-USER command. The MODIFY-USERS command is very similar to the ADD-USERS, with one exception - the users must exist in your database:
UserExport: @[descriptor]Table.Column1@separator @[descriptor]Table.Column..n@ (this line determines the format of the following lines). MODIFY-USER [descriptor] value for Table.Column1 separator [descriptor] value for Table.Column..n MODIFY-USER [descriptor] value for Table.Column1 separator [descriptor] value for Table.Column..n MODIFY-USER [descriptor] value for Table.Column1 separator [descriptor] value for Table.Column..n

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

123

The best way for using the MODIFY-USERS command is to first use the Export User tool to export existing users to a file, change that file, and import it back using the Batch Administration. This will help you in two ways: 1. All command strings will be automatically created by the Export Users, which will save you much time. 2. The probability of an error is much lower.

Deleting Users: To delete any number of users use the DELETE-USER command. This is, by far, the easiest part of Batch Administration, the format is ignored, and is always "@UserId@":
UserExport: @Users.UserId@,@[S]Users.Password@,@[S]Users.GroupName@,@[S]UserDetails.FirstName@,@[S]UserDetails .LastName@,@[S]UserDetails.Address1@,@[S]UserDetails.State@,@[S]UserDetails.City@,@[S]UserDetails.Phone Home@,@[S]UserDetails.PhoneFax@,@UserDetails.NewUser@,@Users.UserActive@ DELETE-USER User ID

For example, delete the previously added users:

UserExport: @Users.UserId@,@[S]Users.Password@,@[S]Users.GroupName@,@[S]UserDetails.FirstName@,@[S]UserDetails .LastName@,@[S]UserDetails.Address1@,@[S]UserDetails.State@,@[S]UserDetails.City@,@[S]UserDetails.Phone Home@,@[S]UserDetails.PhoneFax@,@UserDetails.NewUser@,@Users.UserActive@ DELETE-USER JohnD DELETE-USER Jane DELETE-USER LexLu

Notice that both the MODIFY-USER and DELETE-USER are irreversible and should be used with extreme caution.

124

Database Operations
Aradial allows you to purge data and/or reset statistics information from the database. The Data Operations page may be reached from the Administrator interface by clicking Server Data Management > DB Operations. The Query page of Database Operations displays two distinct sections:

Purge Data which allows you to clean (erase) data from the different tables in your database. Table Name the name of the database table that should be cleaned. Tables which may be purged are: Accounting Log which keeps accounting information from your NAS regarding who logged on/off and when. Action Log which tracks actions which took place in your database. Groups Statistics which keeps information regarding your Groups, used to generate the various Group graphs. NAS Statistics - which keeps information regarding your NASes, used to generate the various NAS graphs and reports. System Statistics - which keeps information regarding your system, used to generate the system reports.

125

Please notice that the System Statistics table is still unused, thus there should be no data in it, and there is no value in purging it. Sessions Statistics - which keeps information about sessions that took place in your system, used to generate the Sessions graphs and reports. Purge to Date enter the date until which all record in the selected table should be purged. Reset Statistics which allows you to reset (zero out) data from the different statistics tables in your database. Table Name the name of the database table that should be cleaned. Tables which may be cleaned are: Groups Statistics Average which keeps various average calculations regarding your Groups, used to generate the Group graphs. NAS Statistics Average - which keeps various average calculations regarding your NASes, used to generate the NAS graphs. System Statistics Average - which keeps various average calculations regarding your system, used to generate the system graphs. Please notice that the System Statistics Average table is still unused, thus there should be no data in it, and there is no value in resetting it.

Notice that Purge and Reset operations are irreversible, and you should backup you database before performing them.

126

Chapter

8
Proxy and Roaming
Adding Proxy Capabilities to Aradial.
A RADIUS Proxy is the term used to define a RADIUS server, such as Aradial, that does not provide actual RADIUS authentication and accounting, instead, it forwards User access requests to a predefined host. A network environment including a RADIUS Proxy will actually require at least two RADIUS servers (such as Aradial): A RADIUS Proxy Server (henceforward referred to as Proxy) - To which the NAS authenticates with, and which will pass the authentication and/or accounting requests to the RADIUS Proxy Target. A RADIUS Proxy Target (henceforward referred to as Target) - Which will authenticate and/or start the accounting process for the user accessing the Proxy Server. The Proxy determines the Target by parsing the User ID it receives from the NAS. If the User ID consists of User ID@Realm or Realm/User ID, the Proxy will forward the request to the specified Target according to the reealm, by looking up the Target information as specified in its Targets table, otherwise, it will assume the user has a local account. You may set two Aradial machines running as both Proxy and Target, providing authentication and accounting services for each other, or in fact, use any other RADIUS server which supports Proxy with Aradial. Using Aradial on both (or more) sides, will greatly enhance your Proxy capabilities, as when the Proxy delivers a request to the Target, it also tells the Target what type of NAS the user has connected to. Aradial will use this information to return the best set of attributes, matching the NAS, instead of using generic attributes.

Figure 6.1 RADIUS Proxy

127

Roaming
As previously explained, when Aradial is accessed by a user with an added realm attached to his User ID, Aradial looks up the Realm information in its Realms table, and delivers the request to one of the Targets associated with the Realm Group of the Realm. In some cases, you may find useful the Roaming feature, which relies on DNS lookup instead of a preconfigured Target IP address for each Target. This will prove very useful in large and complex networks, where, instead of specifying all possible Targets in each Proxy, you may use one entry to allow Proxy forwarding, also, as in large networks a machine rarely keeps a fixed IP address, DNS look-up may prove to be more reliable than specifying an IP address. The downside of Roaming is that you must use the same Secret on all Proxies/Targets, and this might prove to be a security hazard and because of the DNS look-up (which is not a fast process), the speed of the entire authentication process may deteriorate.

Adding a Proxy
Adding a Proxy is very simple, and actually, it only requires adding a NAS entry which corresponds to the IP address of the Aradial machine from which you wish to receive the proxied request. See Chapter 5 to see how a NAS may be added to Aradial.

Adding a Realm Group

The Realm Group binds one or more realms and one or more proxy targets. The Realm page may be reached from the Administrator interface by clicking NAS & Proxy > Add/Edit Realm Group.

To add realms to the Realm Group, press the add Realms button on the Realm Groups list page. The following page will open:

128

Match - The prefix before/after the userId.

Adding a Target
The Targets page may be reached from the Administrator interface by clicking NAS & Proxy > Edit Realm Group > Add/Edit Targets.

The list page of Targets displays the following information, if any Targets have been set up: Target The target server ip. Description The target server description. Priority The priority for selecting between targets. Auth port Authentication port. Acct port Accounting port. Action Where the possible actions are displayed. For Targets, the possible actions are: Delete By clicking on this link, you may delete the Target. The Add page of Targets will allow you to add a Target, using the following parameters:

129

Target The target server IP. Description The target description. Auth Port Authentication port. Acct Port Accounting port. Secret This is the secret password as set on your Proxy target machine. A wrong secret will inhibit the Proxy target machine from authenticating proxied requests. Example Suppose you have two offices, one in New York and the other in Boston, and you wish to allow your employees/users to be able to access their respective network, no matter if they are in New York or Boston. In this scenario you will set up both New York (IP address 192.168.10.40) and Boston (IP address 192.168.50.50) Aradial machines as both Proxies and Targets, as seen in Figure 6.2.

Figure 6.2 Proxy Example

First configure the New York machine, you will need to create a Proxy (NAS) entry on it so the Boston machine may be able to forward requests to it:
NAS & Proxy>Add NAS NAS Name: Boston IP: 192.168.50.50 Secret: My$Secret#Password Confirm Secret: 1234 Model: Default Location: Boston

130

Description: Boston Proxy

Now create the Target, so the New York machine may forward Boston users to the Boston machine:
NAS & Proxy > Realm Group Edit>Add Target Domain Name: Boston Forward To: 192.168.50.50 (you may also put an asterix (*) here, if the Boston machine has a valid DNS entry, it will be resolved to the IP address this is Roaming). Secret: My*Other^Secret&Password Forward Accounting Requests: Checked Log Account Requests: Unchecked Discard Target Name: Checked

Now, do the same for the Boston machine, first create a Proxy (NAS) entry on it so the New York machine may be able to forward requests to it:
NAS & Proxy>Add NAS NAS Name: New York IP: 192.168.10.40 Secret: My*Other^Secret&Password Confirm Secret: My*Other^Secret&Password Model: Default Location: New York Description: New York Proxy

Now create the Target, so the Boston machine may forward New York users to the New York machine:
NAS & Proxy > Realm Group Edit>Add Target Domain Name: NewYork Forward To: 192.168.10.40 (you may also put an asterix (*) here, if the New York machine has a valid DNS entry, it will be resolved to the IP address this is Roaming). Secret: My$Secret#Password Forward Accounting Requests: Checked Log Account Requests: Unchecked Discard Target Name: Checked Notice how the Secrets should match between the machines New York, for the Proxy (NAS) entry uses Secret My$Secret#Password as the Boston Target to New York uses that same Secret. Boston, for the Proxy (NAS) entry uses Secret My*Other^Secret&Password as the New York Target to Boston uses that same Secret.

131

Chapter

Tiered Admin Access

Proliferation of Administration Duties.

In large setups, most administrative duties are divided between a number of persons the technical aspects of server configuration are handled by the technical manager or the system administrator, the support staff is in charge of solving user problems such as denied access due to wrong passwords, etc. Aradial, via its Tiered Admin Access feature, allows you to use sets of HTS files to which only designated personnel has access to, thus eliminating cases in which, for example, someone in the sales department might be tempted to play around with the server, and, accidentally, cause a server shutdown. The Tiered Admin Access of Aradial permits only the main Administrator to set access permissions to the users in the database, using the Admin Type field in the User page. Aradial comes with three levels of Tiered Admin Access, of which two may be changed: Full Rights This type of access is granted ONLY to the default user created when Aradial was first installed. This user can perform any action in Aradial, from configuring the server to adding users and view session reports. This right cannot be given to other users on your system. You may change this Administrator Interface by changing the level 1 HTS files (HTS levels are discussed below). Co-Admin This type of access may be granted by the Administrator to any of the users in the data base by setting their Admin Type value to Co-Admin. This user can perform, by default, all actions the Full Rights Administrator can perform, but grant an Admin Type level to another user. You may change this Administrator Interface by changing the level 3 HTS files (HTS levels are discussed below). None This is the default access a user has set as his Admin Type value. The None level will inhibit users from accessing the Administrator Interface. There are no HTS files that may be altered for this Admin Type level, since no access is granted. You may easily create new levels of access by duplicating one level of HTS files, and altering the new set of HTS files to your requirements. Each HTS level is designated by a number in the Administrator HTS files directory ([Path to Aradial]\ \HTS\Admin). Although all level numbers (but level 1, which is reserved for the Full Rights Admin) have no real meaning (e.g. you can set the Co-Admin as level 67, instead of its default level 3), it might be wise to number the level in ascending order by level of permission (e.g. Co-Admin 3, System Administrator 4, User Manager 5, Technical Support 6, etc.).

132

After creating a new HTS level, you should add the new level to the Rights.hts file in the Admin\1\ directory. This file is used as the source of data for the Admin Type selection box in the User edit page. The format of this file is as following:
<!--SIG=xxxxxxx--> @db_$EValuePairs=<NONE>=0,LevelName1=LevelNumber1,LevelName2=LevelNumber2LevelNam en=LevelNumbern$UserDetails.AdminType@

where: LevelName is the name displayed in the Admin Type field in the User page. LevelNumber is the directory number under the HTS\Admin directory. For example: Suppose you wish to add an Admin Type level named Online Sessions, which allows the level bearer to solely view the Online Session page in the Administrator Interface. For this example, we will number this level as 12: 3. Open a new directory named 12 under [ARADIAL path]\HTS\Admin\, so you have a new directory structure: [ARADIAL path]\HTS\Admin\12\. 4. Copy to this new directory the HTS files that should be available to users with this Admin Type. In this case, copy Sessions.hts, from Admin\1\ and rename it to index.hts (index.hts is the default page opened when opening the Administration Interface. 5. Edit HTS\Admin\1\Rights.hts using any text editor, such as notepad, and set the following: @db_$EValuePairs=<NONE>=0,Online Sessions=12 $UserDetails.AdminType@ 6. Open the Administration Interface, and grant the relevant user Admin Type Online Sessions. Once this user logs on to the Administrator Interface, he will automatically access the Online Sessions page.

133

Chapter

10
Business Partners
Using Business Partners in Aradial.
A Business partner is an individual or organization that registers customers and sells the companys products in exchange for a commission. Aradial supports the following Business partner functionality: Administrator activities: Registration of Business partner View/Edit/Delete business partner entities View/maintain business partners list Add users under specific business partner Register Admin dealer user (Dealer admin user) Dealer self-care activities: Login as pre-defined business partner Specific main screen and user manager for business partner login Register single user by business partner Generate bulk of users by business partner Dealer portal to view/maintain and manage their own customers. Search sessions for specific business partner View online sessions for specific business partner

134

Administrator Activities
Registration of Business partner

The Add/Edit Business entity page can be accessed from Aradial main screen Business Entity screen.

User Manager

The page will allow registering new business partner or editing existing business partner. The Add/Edit page of Business partner displays the following information,: Business Entity Name Contain the name of the Business partner. This is a mandatory field and requiered as part of the business partner registration. Type Specify the type of the business partner (e.g. Dealer). Company Informational text field to indicate the company name for the business partner. Contact First Name Informational text field to indicate the business partner contact first name. this is an optional field.. Contact Last Name - Informational text field to indicate the business partner contact last name. this is an optional field..

Address Informational text field to indicate the business partner address details. this is an optional field..

135

City Informational text field to indicate the business partner City details. this is an optional field.. State - Informational text field to indicate the business partner State. this is an optional field and need to be choosen from drop down list. Country Informational text field to indicate the business partner Country. this is an optional field and need to be choosen from drop down list. Zip - Informational text field to indicate the business partner Zip. this is an optional field. Phone Informational field to indicate the business partner phone number. this is an optional field. Email - Informational field to indicate the business partner Email address. this is an optional field.

View/Edit/Delete Business partner entities

136

The View/Edit/Delete Business partner entity page can be accessed from Aradial main screen Manager Business Entity Edit button.

User

The page will allow to view the currentl registered business partners in a summary view, delete business partner and view specific business partner details. The View/Edit/Delete page of Business partner displays the following information,: Business Entity List: Name Display the business entity name as was inseerted in the business partner registration. Type Display the business entity type as was inseerted in the business partner registration Company Display the business entity Company name as was inseerted in the business partner registration Created Display the sysdate the business partner was registered to the data base. Last Modified Display the sysdate for the last change was done on the business entity details (any field on the business partner entity). Action Allow do delete specific business partner. Please note: Only non-used business partner will be allowed for deletion. Business partners with active users / sessions will be forbidden from this activity. Aradial will block the option to delete used business partner.

137

Add users under specific business partner (from the administrator portal):

The Add/Edit user page can be accessed from Aradial main screen button.

User Manager

User

Add

The page will allow to register user as described in chapter 2 (User Manager chapter). Aradial support registration of user related to a pre-defined business partner. Aradial distinguish between two type of registration under the business partner:

138

Registering Dealer Admin user under business entity:

The ascription to the business partner will be done using the 'Business Entity' field. The ' Business Entity' field will display the list of registered business partner and will allow connecting the user under specific business partner. The ' Administrative Rights' field will set the user as an Admin user and will allow access to the business partner self-care module.

Registering regular user under business entity:

The ascription to the business partner will be done using the 'Business Entity' field as described above. The ' Administrative Rights' field should not be used for regular users.

139

Business Partner Self-Care Activities

Login as pre-defined business partner

Once a business partner will access Aradial portal page he will be requested to enter his user name and password. User Name Should be identical to the User Id' registered in the Admin user under the business partner . The user name is case sensitve. Password - Should be identical to the 'Password' registered in the Admin user under business partner. The password is case sensitve.

Aradial will validate the user name and password details and authenticate or reject the admin user login to the system.

140

Dealer Main screen

The Admin Dealer main screen page can be accessed from Aradial access portal dealer user name and password User Manager.

Using the Admin

the opened screen will present the available options / activities allowed for the admin dealer user and not the full list of options as appear in system admin user. User Add/Edit Allow the admin dealer user to Add / search / view / update his own users. The 'Business Entity' field will not presented in the registration form and will be populated by default with the log-in admin user details. Prepaid Cards allows the dealer to define a set of prepaid card templates, which allow easy batch generation later on. The card type entity support a set of definitions at the card level. View Sessions The view sessions option will allow the admin dealer user to view / Search the sessions related to his business partner. The view sessions will be details described in the next figures.

141

The Admin Dealer main screen page can be accessed from Aradial access portal dealer user name and password.

Using the Admin

the opened screen will present the available options / activities allowed for the admin dealer user. User Manager The user manager will be detailed described in the next figure. This is limited user manager that will allow specific activities related to the loged-in business partner only. Online sessions - The Online sessions option will be detailed described in the next figures. This is limited Online sessions that will allow viewing sessions related to the loged-in business partner only.

User Lookup
The User Lookup screen will allow the logged-in Admin dealer user to view/maintain and manage his own customers (e.g. users regsited under his business partner entity). The search screen is identical to the generic User Manager search screen as described in chapter 2 however, the Dealer self-care screen will limit the admin dealer user to search his own users only.

142

User list under the Business Partner

The User List page can be accessed from Aradial access portal password User Manager Edit.

Using the Admin dealer user name and

The Users screen will present the list of users under the looged-in business partner and based on the search criteria. The screen and the presented output fields are details described in chapter 2 under the User Manager chapter. The Users page allow the business partner to view / edit / search / maintain his own customers as well as to send emails or do specific actions (e.g. reserve, delete, etc) as described in chapter 2 under the User Manager chapter.

143

Add single user under the business partner

The Add/Edit User page can be accessed from Aradial access portal name and password User Manager Add.

Using the Admin dealer user

The opened screen is the same as described in charpter 2 under the User Manager chapter with the following exception: 'Business entity' field is not presented. The value for the business entity is set automatically to the looged-in business partner and there is no need to set it manually.

'Administrative Rights' field is not presented. This field is not relevant for regular user and therefore is not presented when user is registered by Admin dealer user.

144

Generate prepaid cards under the business partner

Please view Generate Prepaid Cards The restrictions is the the prepaid cards would be generated under the reseller and using groups that the resellers allows to register.

View sessions for business partner Search screen

The Session Lookup page can be accessed from Aradial access portal name and password User Manager View Sessions.

Using the Admin dealer user

The opened screen is the same as described in charpter 2 under the User Manager chapter with one exception: The screen will present the sessions related to the logged-in business partner only and will not present sessions related to other business partner in the system.

145

View sessions for business partner Results screen

The Session Result page can be accessed from Aradial access portal and password User Manager View Sessions.

Using the Admin dealer user name View Sessions

The opened screen is the same as described in charpter 2 under the User Manager chapter and will present the sessions for the logged-in business partner only.

146

View Online sessions for business partner screen

The Online Sessions page can be accessed from Aradial access portal name and password Online Sessions.

Using the Admin dealer user

The opened screen is the same as described in charpter 2 under the Online Sessions chapter and will present the sessions for the logged-in business partner only. The filters, sort orders, refreshing methods and presented values are the same as described in charpter 2 under the Online Sessions chapter .

147

Chapter

Web Self Care

Using Aradial as Users Web-Self-Care.

11

Aradial provides a Wifi portal which is a web-based application that enables customers and users to browse and manage their own accounts. The portal can be customized to suit any provider's look and feel. With Aradial self care application, authorized users will have the following activities: View the user summary View user balances Update user details Change user password View and search the user sessions

Login to Aradial user self care:

When a pre-defined user want to access to Aradial portal and view / manage his account he should access the Aradial portal URL (http://localhost:8001/Wsc).

148

The Aradial portal port is configurable and can be changed from the main admin Aradial screen Server Configuration Advanced Configuration HTTP Server WSC Interface Setting section, WSC Interface port parameter. Once Aradial authenticate and validate the user name and passoword, the Aradial User Self Care will present the User Summary Page:

User Summary

The following sections will be presented in the User Summary tab: Personal Information: Aradial user self portal will present the user personal information with the registered data in 'read only' mode. Access Information: Aradial user self portal will present the user access information with the registered data in 'read only' mode. Additional access information: Aradial user self portal will present the user additional access information with the registered data in 'read only' mode. Dates: Aradial user self portal will present the dates information with the following details in 'read only' mode: User Creation date: The date the user was created in Aradial.

149

User expiration date: the user expiration date. In case the user has no expiration date, the field will be empty. User activation date: The user activation date as inserted in the user registration. In case no activation date was inserted, the user creation date will be presented. Last login on: the last login date for the specific user. This field is updated automatically by aradial and will present the most updated date. Metering information: User metering information will be presented. The data is automatically updated by Aradial based on the user' sessions. Data is presented in 'read only' mode.

Update User

The Update User page in the Aradial self care interface will allow the users to manage their own accounts and allow self update. Aradial will allow changing any of the user personal information but will not allow changing Metering info and / or any other system data information (e.g. user activation date, expiration date, tariff details, etc). The user will be able to change his personal information by changing the appropriate field and then pressing 'Update' button. The change will be reflected immdiatlly.

150

Change Password

Aradial self care portal is enabling the users to maintain and change their password information. Aradial will first authenticate and validate the old password and then allow changing to new password. The flow to change the user password is as follows: The user login to the change password tab in the user self care User type in the old password, new password and re-entering the new password Aradial will authenticate the old password If validation pass, the password will be replaced and appropriate massage will be displayed. In case of validation error, password will not be changed and appropriate massage will be displayed.

View Sessions

151

Aradial user self care interface is allowing the users to view their own sessions by login to the View sessions tab. Once login, the page will be dispalyed in search mode and will ask for data range criteria's for the search. Leaving the date fields empty means to range criteria's and Aradial self care will present all user sessions. Reset Will enable the user to reset the search criteria's and will remove the old values from the search fields. The search button will search the user sessions based on the input parameters, or all sessions if no parameters will be entered. The sessions screen will present the following information:

Last update: the field will present the last login date and time when the user was connected. Login time: Login time in the session level. The field will present the session start time. Time online: the field will present the sessions duraion. Service: This field will present the service the user is connected to and the session is related to. In MB: The field will present the used in MB (received MB) for the specific session. Out MB: The field will present the used out MB (sent MB) for the specific session.

152

Chapter

Packet Of Disconnet

12

Packet of Disconnect functionality enables to physically disconnect exiting sessions by sending the NAS a disconnect request. Please note: the NAS needs to support disconnect requests

Aradial supports invoking the PoD request from the Admin web interface to allow disconnecting sessions from the Online Sessions page. For detailed screenshot and available options please refer to the Online Sessions chapter. Aradial provides the ability for 2 deployment options (controlled by configuration): Same RADIUS Server is used for AAA and for PoD (default configuration) A separate standalone server is used for handling PoD

Admin PoD support

The online sessions page is providing the PoD support. For detailed information and screenshots please refer to the online sessions chapter.

PoD Configuration
The PoD configuration parameters are supported using the Aradial advanced configuration page. For detailed information and screenshots please refer to the advanced configuration chapter.

Radius Client
Radius Client is a new section in the Configuration (Radius Client option) section with the configuration for the RadiusClient library.

153

Following is the screenshot and the list of options available:

RARIUS 1 Server IP IP of the primary RADIUS server to be used for disconnect messages RARIUS 2 Server IP IP of a secondary RADIUS server to use in case the primary one is not available RADIUS Secret The shared secret between the Admin and the RADIUS server. Note: It is important to define the Admin as a NAS in the Network Access Server list. RADIUS Port The UDP port used by the server to receive Access Requests. This should match the RADIUS Server definition RADIUS Control Port The UDP port used by the server to receive control commands. This should match the RADIUS Server definition RADIUS Dictionary Directory The path to the RadDb directory RADIUS Dictionary Name Name of the dictionary to use. Should be default.dic. Resend Authentication Timeout Timeout until a resend of an authentication (in milliseconds) Resend Accounting Timeout Timeout until a resend of an accounting Resend Control Timeout Timeout until a resend of a control message Number of Authentication Resend Max number of authentication resends Number of Accounting Resend Max number of accounting resends

154

Number of Control Resend - Maximal number of resends of a disconnect message. A value of 0 means no resends.

PoD API
PoD requests can be invoked using Aradial API's in two forms: 1. Using the User Management HTTP API 2. RadiusClient.dll By directly integrating with RadiusClient.dll a program can issue disconnect requests
System Services

System services are a new types of services defined in NasCfgDbs and are used for constructing of dynamic authorization requests (PoD and CoA). A system service is similar to regular services, with the difference that system services cannot be selected for use in Groups for regular authorization. System Services are used differently for PoD and CoA: For PoD a fixed system service is used, Packet-Of-Disconnect. This service can be defined differently for different NAS models and thus create a different PoD request according to the NAS model. For CoA multiple system services can be used, for different CoA commands. The relevant system service for a specific CoA request is identified by a special parameter in the CoA API.

155

Chapter

Wifi / Hotspot Portal

Using Aradial Portal and customizing per location.

13

Customizing Aradial Portal

Aradial user self care interface allows operators to customize and change the self care look and feel and enable users login using their own login screen. Aradial provide all ficilities to change the login page to include the provider logo, details and use Aradial self care functionalites. The following chapter will describe the following activities: General explenation Changing Aradial portal per location (provider) Examples and instructions

General explenetaion: Aradial portal recieves parameters from the redirection URL of the router / access controller. This way once the user want to login he is redirected to the provider home page and needs to login with his personal details. The following example will demonstarte the flow for user connection (e.g. in hotel from the user room for example): The user connect his PC / laptop to the wifi lan and gets an IP address The user is opening his explorer / firefox to connect the netwrok The user will automaticall redirected to a secured portal (SSL) The user will be requested to login with his user name and password The login details are sent by the router / access controller to Aradial for authentication Aradial will reject or grant the user for login.

156

Please note: Aradial supports both http and https web access Changing Aradial portal per location (provider): As mentioned above, Aradial portal is recieveing parameters from the access controller. The provider should configure the URL in the access controller For example: Configure the URL: http://localhost:8002/Portal in the linksys chillispot access controller screen. The following will automatically be added to the URL: uamip=12&uamport=123 When it is redirected the URL would be:
http://localhost:8002/Portal?portal=msn&uamip=12&uamport=123

The Portal javascript detects uamip=12&uamport=123 and knows it is chillispot.

In the above example we can see that in the ridirected URL the portal=msn link the user to the provider home page for user login. Aradial supports changing the look and feel web page using the portal parameter in the URL. The portal parameter can also link to a folder name which exist under: Aradial\Hts\Portal Example:
https://localhost:8002/Portal?portal=example1&uamip=12&uamport=123

The above link will redirect the user to the provider home page for user login, the portal parameter is linking to a directory called example1 and the web page look and feel can be customized in the Portal.hts file. Picutes and images can also be customized buy putting the *.png file in the specified directory. Instruction for changing Aradial portal per location: Copy one of the examples directories under Aradial\Hts\Portal and rename it (e.g. New_Example) Download editor like PSPad and edit the Portal.hts in order to change the content as requested Change the picture (*.png file) to the requested logo Configure the URL in the access controller to link to the specified directory

Please note: More about Aradial Hts customization can be found in 'Hts customization' Appendix F.

157

Example1: The following example will enable users login, self registration, self account management and more information regarding the service provider. The screen shot is an example for a ridirection page which every user is directed for once trying to access or connecting his PC to a wifi lan. The portal is build to suit specific provider logo and look & feel.

Example2: The following example will enable users login, self registration, self account management and more information regarding different service provider. Both examples will use Aradial self care capibilities and allow to customize the provider interface for users login. The screen shot is an example for a ridirection page which every user is directed for once trying to access or connecting his PC to a wifi lan.

158

The portal is build to suit specific provider logo and look & feel.

159

Chapter

Wimax Implementation
Overview

14

Aradial RADIUS server supports the RADIUS extensions according to the WiMAX Forum Network Architecture Stage 2 - 3: Release 1, Version 1.2.

Wimax VSA
The Wimax standard has introduced the following enhancements to the RADIUS type system: Hierarchical attributes which contain a sequence of one or more sub attributes. Splitting of long attributes (longer than 255 bytes) into multiple attributes using the Continuation flag in the Wimax VSA format Additional attribute types: o Byte Unsigned 8 bit integer o Short Unsigned 16 bit integer o Signed Signed 32 bit integer Following is a description of the support for the above enhancements in different subsystems of Aradial RADIUS server.

Dictionary
A Wimax dictionary (Wimax.dic), which defines all the Wimax VSAs as specified in the Wimax standard. Following is an extract from Wimax.dic: VENDOR WiMAX 24757 format=1,1,c BEGIN-VENDOR WiMAX ATTRIBUTE WiMAX-Capability 1 tlv BEGIN-TLV WiMAX-Capability ATTRIBUTE WiMAX-Release 1 string ATTRIBUTE WiMAX-Accounting-Capabilities 2 byte ATTRIBUTE WiMAX-Hotlining-Capabilities 3 byte ATTRIBUTE WiMAX-Idle-Mode-Notification-Cap 4 byte VALUE WiMAX-Accounting-Capabilities No-Accounting 0

160

VALUE WiMAX-Accounting-Capabilities IP-Session-Based 1 VALUE WiMAX-Accounting-Capabilities Flow-Based 2 END-TLV WiMAX-Capability

VSA Format
The format used for Wimax VSAs is 1,1,c: The first element (1) relates to the Wimax Type field, which is one byte The 2nd element (1) relates to the Wimax length field, which is one byte The 3rd element (c), relates to the Continuation field, which follows the length Field All the attributes defined after a BEGIN-VENDOR line, will be considered as VSAs and will use the format specified by the format clause.

TLV Attributes
TLV attributes stand for the hierarchical attributes defined in the Wimax standard. A TLV attribute definition is composed of two parts: The TLV attribute definition like a regular attribute, but with a type of tlv The sub-attributes definition, which is a list of regular attribute definitions enclosed between a BEGIN-TLV and END-TLV lines.

Service Definition
The service profile definitions in NasCfgDbs has been enhanced to support Wimax attributes as follows: Ability to construct TLV attributes Ability to echo attribute values from the request
Following is a sample Wimax service definition:
[Wimax_NWG] Dictionary=Wimax.dic WimaxDefault:PPP, WiMAX-Capability={WiMAX-Accounting-Capabilities=$RO:WiMAX-Capability.WiMAX-Accounting-Capabilities, WiMAX-Hotlining-Capabilities=$RO:WiMAX-Capability.WiMAX-Hotlining-Capabilities, WiMAX-Release=$RO:WiMAX-Capability.WiMAX-Release}

TLV Attributes
A TLV attribute is created as part of a service definition by: Opening the attribute value with a { character

161

Followed by one or more regular attribute=value definitions, separated by commas Closing with a } character

Echo of Request Attributes

A request attribute value can be echoed in a service reply attribute by using the R: prefix in the value definition. For example, the following definition will echo the user-name attribute from the request: User-Name=$R:User-Name

Optional Attributes
An optional attribute is an attribute=value definition, where the attribute will not be placed in the reply list in case the value is not defined. For example, the following definition will echo the user-name attribute from the request if it exists in the request, otherwise it will not be echoed: User-Name=$RO:User-Name Note: in the previous sample (without the O), if the User-Name attribute does not appear in the request, an error will be generated and an access-reject message will be sent.

Access to Sub-TLVs
Reference to sub-tlvs is supported in the following template definitions: AcctLog.tpl Definition of accounting text files AcctLogExtended.tpl Mapping of accounting attributes to an SQL database ActiveSessions.tpl Mapping of accounting attributes to the Active Sessions database ActivityLog.tpl Inclusion of RADIUS attributes to the activity log
A reference to a sub-tlv attribute has the following format:

Tlv-Attribute.sub-tlv-attribute For example: WiMAX-QoS-Descriptor.WiMAX-Traffic-Priority

162

TCL Scripting Module In the TCL scripting module, sub-tlvs can both be read and created using the same notation as above.

NAS Simulator
The NAS simulator has been enhanced to support simulation of Wimax scenarios as follows: Support for creation of Wimax TLV attributes in requests in a format similar to the format used for defining service reply lists in NasCfgDbs Support for multi-line definitions in simulation files. Following is a sample simulation file definition which demonstrates the enhancements: 00:00:00:00,WimaxUser1,password,00:20, Auth:NAS-Port-Type=Virtual, WiMAX-Capability={WiMAX-Release=1.3, WiMAX-Accounting-Capabilities=Flow-Based, WiMAX-Hotlining-Capabilities=Not-Supported}; AcctStart:NAS-Port-Type=Virtual; AcctStop:NAS-Port-Type=Virtual,Acct-Input-Octets=1000, Acct-Output-Octets=0,Acct-Delay-Time=0

Wimax Flows
Authentication
Wimax authentication is done using the EAP-TTLS method. User password may need to be stored in plain text in Aradial user database, depending on the TTLS inner authentication method. If the inner authentication method is different from PAP, then passwords must be stored as clear text. For the PAP inner method, passwords can be stored in any supported encryption method.

163

Authorization
Wimax Capability Exchange Wimax capability exchange can be implemented using two policies: Echo of Client Capabilities In this policy, the RADIUS server replies to the client with the same set of capabilities as the client requested. Here is how the Wimax service needs to be defined to implement this policy:

WimaxEcho:
WiMAX-Capability={WiMAX-Accounting-Capabilities=$RO:WiMAXCapability.WiMAX-AccountingCapabilities, WiMAX-Hotlining-Capabilities=$RO:WiMAX-Capability.WiMAX-Hotlining-Capabilities, WiMAX-Release=$RO:WiMAX-Capability.WiMAX-Release}

Server Specific Capabilities In this policy, the Wimax service defines specific capabilities. For example: WimaxService:
WiMAX-Capability={WiMAX-Release=1.3, WiMAX-Accounting-Capabilities=IP-Session-Based, WiMAX-Hotlining-Capabilities=NAS-Filter-Rule, WiMAX-Idle-Mode-Notification-Cap=Supported}

AAA Session Id AAA-Session-Id is a Wimax VSA that the AAA server generates after a successful authentication and reperesents a unique session Id. In order to generate this attribute, the WimaxAlg algorithm can be used. See Raddb\rad_algs.wimax for a sample authorization flow using this algorithm.

Accounting
Wimax offline accounting can be either IP session based or flow based and it is determined during the Wimax capability exchange phase. Both modes of accounting are supported.

164

Appendix

A
Configuring Web Servers
How to Integrate Aradial with your web server.
Please note that most common web servers which allow the use of ISAPI or NSAPI also allow the use of CGI. You should only use CGI on such web servers if the API is causing you any problems (in which case, please also notify us).

Microsoft Internet Information Server (IIS)

Interface: ISAPI, CGI Please review a seprate manual of configuring Aradial with IIS (Configuring-IIS-with-Spotngo.pdf). Document: Configuring-IIS-with-Spotngo.pdf ARDAdminIS.dll - Which is Aradial Administration DLL. ARDWscIS.dll Which is Aradial WSC DLL. ARDPortalIS.dll Which is Aradial Portal DLL.

165

Apache using API

Interface: API

166

Appendix

ODBC Compatible Databases

How to Integrate Aradial with Your ODBC Compliant Database.

Microsoft Access
No further configuration is required when Microsoft Access (.MDB) is used. Aradial will automatically configure the ODBC source during the installation process.

Microsoft SQL Server

Please review: "c:\Program Files\Aradial\Docs\Aradial-MSSQL-Configuration-Guide.pdf"
Or download it from the FTP site. To create the Aradial database on your SQL server, use the script provided in the <Aradial path>\database\MsSql directory, MSSQL.sql. After the database has been created, create the ODBC DSN using the ODBC Data Source Administrator (My Computer>Control Panel>ODBC32). After opening the ODBC Data Source Administrator, select the System DSN and click on Add Select the SQL Server driver, and click on Finish. The Create New Data Source to SQL Server dialogue will open, as shown in Figure B.1:

167

Figure B.1: Create a New Data Source to SQL Server Dialogue

For the Name field, enter the name of the database, as Aradial should call it (see Connect String in Advanced Configuration). Select your SQL server from the Server selection box, and click Next. In the next page, for How should SQL Server verify the authenticity of the login ID? Select With SQL Server authentication using a login ID and password entered by the user. In Login ID, enter a valid SQL Server login ID, and enter the login password at the password field. Click on Next. In the next page, check the checkbox for Change the default database to: and select the database with Aradial structure. Click on Next then on Finish. After configuring the ODBC source, make sure to configure Aradial to use the source you have defined (see Chapter 5, Advanced Server Configuration section).

MySQL Server
Please review: c:\Program Files\Aradial\Docs\Aradial-MySQL Database on Windows.pdf
Or download it from the FTP site.

168

Oracle Server and Oracle RAC

1. Oracle schema can be found under: [Aradial Path]/Database/Oracle 2. Go to c:\Program Files\Aradial\Hts\Messages\Oracle: copy all the 3 *.txt files to: c:\Program Files\Aradial\Hts\Messages (these are the customized SQL for MySQL). On Linux, copy the *.txt files from aradial-dir/Hts/Messages/Oracle to aradial-dir/Hts/Messages.3. Configure Metering to use the Oracle Database: goto the Admin/Configuration/Metering page and select Oracle as the Database type. 4. Configure the connection string for Oracle:
Update the registry on Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Aradial\Radius\3.0\DataBase\ConnectStr Or the rbsrad.conf on Linux: [Database] ConnectStr= The value to put there: database;user;password

5. On Windows: Copy the ARDServOracle.exe to overide the ARDServ.exe And Copy Webserver/Service/ARDAdminOracle.exe to Webserver/Service/ARDAdmin.exe On Linux: Update the /etc/init.d/ardrad script to use Oracle instead of ODBC, by commenting the odbc line and uncommenting the oracle one, as follows: #DBTYPE=odbc DBTYPE=ora And Update the ardserver symbolic link at the Aradial root directory to point to the ardserverora process, by running the following at the Aradial root directory: ln s -fs ardserverora ardserver 6. Restart the Aradial server service, admin; WSC and Portal.

169

Appendix

NAS/Access Server Configuration

How to Configure Your NAS for RADIUS Authentication, Authorization and Accounting.

Following are configuration notes for how to configure your Network Access Server for RADIUS Authentication, Authorization and Accounting. If your NAS is not present in this appendix, please check http://www.aradial.com/radius, which includes the latest information about RADIUS compliant equipment. Also, be sure to review your NAS manual for further information regarding RADIUS support.

3Com - AccessBuilder
Requirements: OS Version 7.0 and up, Transcend AccessBuilder Manager (TABM) Version 4.0 and up. Supports: Authentication, Accounting 1. Start the Transcend AccessBuilder Manager (TABM). 2. Select AccessBuilder to configure and click Open. 3. Select the Configuration menu and choose Security Parameters to configure the AccessBuilder for RADIUS authentication. 4. Select the Security Server Type field and choose RADIUS from the available options. 5. For Authentication information, you will be required to enter the following: External Security IP Address: Enter the IP address of the machine running your Aradial (RADIUS Server). Second External Security Server IP Address: Enter the IP address of a backup Aradial (RADIUS Server), if available. Security Client Password: Enter the secret password to be used between the AccessBuilder and Aradial (RADIUS Server); you will enter the same secret password when you add the AccessBuilder as a NAS in Aradial (RADIUS Server). Security Retry Timer: Use the default value. 6. For Accounting for RADIUS and TACACS+ Server information you will be required to enter the following: Security Accounting Server IP Address: Enter the IP address of Aradial (RADIUS Server); you will enter the same secret password when you add the AccessBuilder as a NAS in Aradial (RADIUS Server). 7. For RADIUS Authorization information you will be required to enter the following: Authorization IP Address: Enter an IP address of 0.0.0.0. Second Authorization IP Address. Security Authorization Password: Enter the same secret password that you entered for authentication. Security Authorization UDP Port: Enter the UDP port used by the Aradial (RADIUS Server), this is usually port 1645. 8. For 3Access Secure IP Firewall Options select Disabled. 9. Click Apply to set these changes to your Security Parameters. 10. Select the Control menu and choose Save Configuration. 11. Select the Control menu and choose Reset Server to have your changes take effect.

170

3Com Corporation, US Robotics

Requirements: USR NETServer Manager version 3.3.3 and up. Supports: Authentication, Accounting 1. Start the USR NETServer Manager (Version 3.3.3 or later). 2. When prompted for the NetServer to connect to, enter the IP address (or host name) of the NETServer that you wish to connect to, and it's password. 3. Select RADIUS from the Tables menu. 4. Open the Security tab in the Radius Configuration screen, and enter the following: Address: Enter the IP address of the machine running your Aradial (RADIUS Server). Port: Enter the UDP port used by the Aradial (RADIUS Server), this is usually port 1645. 5. Click the RADIUS Secret button. For Secret, enter the secret password to be used between the NetServer and Aradial (RADIUS Server); you will enter the same secret password when you add the NetServer as a NAS in Aradial (RADIUS Server). 6. Open the Accounting tab in the Radius Configuration screen, and enter the following: Address: Enter the IP address of the machine running your Aradial (RADIUS Server). Port: Enter the UDP port used for accounting by the Aradial (RADIUS Server), this is usually port 1646. 7. Click the RADIUS Secret button. For Secret, enter the secret password to be used between the NetServer and Aradial (RADIUS Server).

Ascend Communications, Inc. MAX

Requirements: Telnet client Supports: Authentication, Accounting 1. Telnet to the MAX. 2. From the Main Edit Menu select Ethernet and press Enter. 3. From the Ethernet menu select Mod Config 4. To add RADIUS authentication to the MAX, select Auth... and press Enter. 5. Select the Auth= field and use the Enter key to change the Auth= field to RADIUS. 6. Select the Auth Host #1 field. Press Enter and enter the IP address of Aradial (RADIUS Server) 7. Select the Auth Key= field. Press Enter and enter secret password to be used between the MAX and Aradial (RADIUS Server); you will enter the same secret password when you add the MAX as a NAS in Aradial (RADIUS Server). Use the default values for the Auth Port= (1645) and the Auth Timeout= (5) fields. 8. Press Esc to exit this menu. 9. If you are running a backup Aradial (RADIUS Server) repeat steps 6 through 8 above after first selecting the Auth Host #2 field. 10. From the Main Edit Menu select Accounting and press Enter. 11. Select the Acct= field and use the Enter key to change the Auth= field to RADIUS. 12. Select the Acct Host #1 field. Press Enter and enter the IP address of Aradial (RADIUS Server). 13. Select the Acct Key= field. Press Enter and enter secret password to be used between the MAX and Aradial (RADIUS Server). 14. Press Esc to exit this menu. 15. If you are running a backup Aradial (RADIUS Server) repeat steps 12 through 14 above after first selecting the Acct Host #2 field.

171

16. Press Esc to exit the Mod Config menu. When prompted to do so select Exit and Accept.

CheckPoint, Ltd. Firewall 1

Requirements: Firewall 1 version 3.0 and up Supports: Authentication 1. Start the FireWall-1 Windows GUI or OpenLook GUI. 2. Bring up the Control Properties, select Authentication tab. 3. Click Add to add Aradial (RADIUS Server) to the list. 4. Enter the following data: Name: the name of Aradial (RADIUS Server). Make sure that this name can be resolved using DNS, if not, create an entry in your DNS server which points to Aradial. Shared Secret: The secret password to be used between FireWall-1 and Aradial (RADIUS Server); you will enter the same secret password when you add the Firewall-1 as a NAS in Aradial (RADIUS Server). Repeat Shared Secret: Re-enter the secret password. 5. Click OK.

Cisco Systems, Inc. - IOS access servers

Note: review a seprate manaual: Cisco-Configurations.pdf, it is updated more frequently than this manaul.
Requirements: IOS Release 11.1 and up Supports: Authentication, Accounting 1. Telnet to the Cisco access server and login with a valid Username and Password. After a few seconds you will see the access server prompt. 2. Enter the privileged command level by typing enable at the prompt. 3. Type configure terminal to enter configuration mode. 4. Type radius-server host <ip address> or radius-server host <hostname> to specify the Aradial (RADIUS Server) that will be used by the access server. Use the IP address of Aradial (RADIUS Server). 5. Type radius-server key <secret> to set the secret password to be used between the Cisco access server and Aradial (RADIUS Server); you will enter the same secret password when you add the Cisco access server as a NAS in Aradial (RADIUS Server). 6. Type the following sequence of commands, in their exact order, to enable RADIUS Authentication on the access server: aaa new-model aaa authentication ppp enable radius aaa authentication ppp radius radius 7. Type aaa accounting network start-stop radius to enable RADIUS Accounting for remote access activity on the access server. 8. Type aaa accounting exec start-stop radius to enable RADIUS Accounting for shell (EXEC) activity on the access server. 9. Type Ctrl-Z to exit from configuration mode. 10. Save this new configuration to your configuration file by typing write.

172

Cisco PIX firewalls

Note: review a seprate manaual: Cisco-Configurations.pdf, it is updated more frequently than this manaul.
Requirements: Firewall 4.0 and up Supports: Authentication 1. Telnet to the PIX Firewall. 2. Enter the privileged command level by typing enable at the prompt. 3. Type configure terminal to enter configuration mode. 4. Type radius-server host <ip_address> <key> to specify the Aradial (RADIUS Server) that will be used by the firewall. For <ip_address>, use the IP address of Aradial (RADIUS Server). <key> represents the secret password to be used between the PIX Firewall and Aradial (RADIUS Server); you will enter the same secret password when you add the PIX Firewall as a NAS in Aradial (RADIUS Server). 5. Type aaa authentication <service> inbound|outbound <ip_address> <netmask> radius to enable the PIX Firewall with RADIUS support. The syntax is defined by: <service> is the service to be authenticated: any, ftp, http, or telnet. The any value specifies that FTP, HTTP, or Telnet connections be authenticated. Enter either: inbound to authenticate inbound connections or outbound to authenticate outbound connections. <ip_address> is the IP address from which or to which access is authenticated. If you want every system in your network to authenticate to this type of server, use 0.0.0.0 for the IP address. <netmask> is the network mask of <ip_address>. Always specify a specific mask value. If you want to limit authentication to a single IP address, use 255 in each octet; for example, 255.255.255.255. radius means to authenticate using Remote Authentication Dial-In User Service (RADIUS). 6. Type aaa authorization <service> inside|outside <ip_address> <netmask> to set parameters that restrict a user's network access based on RADIUS authentication. The syntax is defined by: <service> is the service on which to authorize: ftp, http, telnet, a port range, or any. Specify a TCP port or port range for FTP, HTTP, or Telnet services that are not on the standard ports for these services. The standard ports are 20 and 21 for FTP, 80 for HTTP, and 23 for Telnet. Enter either: inbound to authorize on inbound connections or outbound to authorize on outbound connections. <ip_address> is the IP address from which or to which access is authorized. If you want every system in your network to authorize to this type of server, use 0.0.0.0 for the IP address. <netmask> is the network mask of <ip_address>. Always specify a specific mask value. If you want to limit authentication to a single IP address use 255 in each octet; for example, 255.255.255.255.

Cisco VOIP
Note: review a seprate manaual: Cisco-Configurations.pdf, it is updated more frequently than this manaul.
1. Telnet to the Cisco Box. 2. Enter the privileged command level by typing enable at the prompt. 3. Type configure terminal to enter configuration mode. This is a configuration sample: ! Router# show running-config Building configuration... Current configuration: ! ! Last configuration change at 08:41:12 PST Mon Jan 10 2000 by lab ! version 12.1

173

service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname GW ! logging buffered 100000 debugging aaa new-model aaa authentication login default local group radius aaa authentication login h323 group radius aaa authentication login con none aaa authorization exec h323 group radius aaa accounting connection h323 start-stop group radius ! username lab password xxx username 111119 password xxx ! ! ! controller T1 3 ! gw-accounting h323 vsa ! interface FastEthernet0 ip address 16.0.0.2 255.xxx.255.0 no ip directed-broadcast duplex full speed 10 no cdp enable ! ip classless ip route 0.0.0.0 0.0.0.0 1.14.xxx.5 ip route 192.14.xxx.32 255.255.xxx.240 16.0.0.1 no ip http server ! ! radius-server host 61.9.10.219 auth-port 1812 acct-port 1813 radius-server key 1234 radius-server vsa send accounting radius-server vsa send authentication ! end

For more information please review: http://www.cisco.com/en/US/tech/tk652/tk701/technologies_white_paper09186a00800d6b72.shtml

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/5300/rn5300xa.htm

Quintum VOIP
Access CLI of Quintum. 1. Access the configuration radius# prompt. 2. Type host p, followed by the IP address for the primary RADIUS server (i.e., host p 61.9.10.219). The "p" indicates the primary RADIUS server. 3. Type host s, followed by the IP address for the secondary RADIUS server (i.e., host s 61.9.10.219). The "s" indicates the secondary RADIUS server. 4. Type sharedsecret (sharedsecret is similar to password), followed by the RADIUS key (up to 64 characters) (i.e., 1234, sharedsecret 454AJU). 5. Ensure accountingtype is configured. If this field shall not set to 0, Otherwise no "stop accounting" messages will be sent. Please read the bellow article: http://www.quintum.com/support/xplatform/ivr_acct/webhelp/RADIUS_Interface.htm

174

Computone Corporation Intelliserver/PowerRack

Requirements: Intelliserver release 1.4.1, PowerRack release 1.3.1 Supports: Authentication, Accounting 1. Telnet the server and login with a valid login. 2. Type menu to access the menu interface. 3. From the Main Menu select Administration and press Enter. 4. From the Administration Menu select Network and press Enter. 5. From the Network Menu select RADIUS/SNMP and press Enter. 6. From the Configure RADIUS/SNMP Menu enter the following values: Select the Primary RADIUS Host field and enter your Aradial (RADIUS Server) IP address. If you have a backup Aradial (RADIUS Server), select the Secondary RADIUS Host field and enter its IP address. Select the Primary RADIUS Accounting Host field and enter your Aradial (RADIUS Server) IP address. If you have a backup Aradial (RADIUS Server), select the Secondary RADIUS Accounting Host field and enter its IP address. Select the RADIUS CHAP Secret field and enter the secret password to be used between the IntelliServer or PowerRack and Aradial (RADIUS Server); you will enter the same secret password when you add the IntelliServer or PowerRack as a NAS in Aradial (RADIUS Server). Select the Accounting CHAP Secret field and enter the same secret password you entered for authentication. 7. To save your changes, press Esc. 8. Type Y to save your changes.

Lucent Technologies, Inc. - PortMaster

Requirements: PMConsole Supports: Authentication, Accounting 1. Start PMconsole. 2. Open a connection to your PortMaster. 3. In the Edit menu, select RADIUS. 4. From the Edit menu, select RADIUS and enter the following values: For the Primary Server field, enter your Aradial (RADIUS Server) IP address. For the Accounting Server field, enter your Aradial (RADIUS Server) IP address. For the RADIUS Secret field, enter the secret password to be used between the PortMaster and Aradial (RADIUS Server); you will enter the same secret password when you add the PortMaster as a NAS in Aradial (RADIUS Server). If you are running a back up Aradial (RADIUS Server) you may enter the IP address of this server in the Alternative Server and Alternative Acct Server fields. 5. Save this information to the PortMaster by clicking on Save.

Microsoft Corporation - Routing and Remote Access Service (RRAS)

Requirements: RRAS (this is NOT the RAS bundled with Windows. Download RRAS from Microsoft's Web Site), RRAS Hotfix 3 Supports: Authentication, Accounting 1. Open the Windows Control Panel. 2. Open Network. 3. Select the Services tab. 4. Select Routing And Remote Access Service and click Properties. 5. Click on Network from the Remote Access Setup screen.

175

6. For Authentication and Encryption settings select Allow any authentication including clear text. This setting will allow PAP negotiations which are required for pass-through authentication to NT Domains or WorkGroups. See Microsoft's knowledge base article Q172216 for further assistance. 7. For Authentication Provider select RADIUS and click Configure.... 8. From the RADIUS Configuration screen click Add. The information that is needed is as follows: Server Name: The IP address of Aradial (RADIUS Server). Secret: The secret password to be used between RRAS and Aradial (RADIUS Server); you will enter the same secret password when you add RRAS as a NAS in Aradial (RADIUS Server). Timeout: This is the time RRAS awaits a response from Aradial (RADIUS Server), before timing out a session. The default of 5 is OK. Initial Score: When using multiple RADIUS Servers, RRAS gives each one a score based on the response rate, the higher the score, the more likely RRAS will send the request to the specific RADIUS server first. The default of 30 is OK. Enable Authentication: The Port value needs to be set to the port value of Aradial (RADIUS Server), which is usually 1645. Enable Accounting: The Port value needs to be set to the port value of Aradial (RADIUS Server), which is usually 1646. Send Accounting On/Off Message: This will enable the Account-On/Account-Off messages sent while starting up or shutting down RRAS. This option may be enabled. 9. Click OK. 10. Click OK when done adding RADIUS servers. 11. Click OK to exit the Network Configuration screen. 12. Click Continue to exit the Remote Access Setup screen. 13. Click Close to exit the Network screen. At this time, Windows will perform re-binding of protocols/services, and will require a restart.

Shiva Corporation - LanRover

Requirements: LanRover/LanRover Access Switch version 4.5 and up, Shiva Net Manager Supports: Authentication, Accounting 1. Start the Shiva Net Manager. 2. Select your LanRover or LanRover Access Switch from the device list. 3. Choose Security from the Configuration options. 4. In the User Authentication section, select RADIUS 5. Click the Add button in the Radius section. 6. Enter the following data: IP Address: the IP address of Aradial (RADIUS Server). UDP Port: Enter the UDP port used by Aradial (RADIUS Server), this is usually port 1645. Secret: The secret password to be used between LanRover and Aradial (RADIUS Server); you will enter the same secret password when you add the LanRover as a NAS in Aradial (RADIUS Server). 7. Click Done. 8. Select Additional Configuration from the Configuration options. 9. Add the following information in the Security section: UseExtendedAttributes=1 ExtendedAttributeBase=51 10. Add the following information in the Accounting section: RADIUSAccounting=1 LogAccounting=1 RADIUSAcctServer=<ip address>, <acct port>, <secret> RADIUSAcctServerRetryCount=3 RADIUSAcctServerRetryInterval=10

176

where <ip address> is the IP address of Aradial (RADIUS Server), <acct port> is the UDP port used for accounting by Aradial (RADIUS Server), this is usually 1646, and <secret> is the secret password to be used between LanRover and Aradial (RADIUS Server) for accounting. 11. Save the new configuration settings and send the changes to the device

177

Access Point Configuration

Proxim AP 2500 \ Nomadix
Review a seprate manaual: C:\Program Files\Aradial\Docs\Nomadix-Configuration.pdf, it is updated more frequently than this manaul.
Please see more information at Nomadix: http://www.nomadix.com/aghelp/ag2000w/usg_helpEstablishing_the_Authorization_O.htm

Colubris
Review a seprate manaual: C:\Program Files\Aradial\Docs\Colubris CN - MSC Access Server Configuration V2.0.pdf, it is updated more frequently than this manaul.

Mikrotik
Review a seprate manaual: http://www.aradial.com/DownLoads/Mikrotik-Aradial-Configuration-Guide.pdf http://www.aradial.com/DownLoads/Mikrotik-BandWidth-Control.pdf

ValuePoint / Zyxel / Planet

Review a seprate manaual.

Chillispot / Ikros / Linksys / PfSense / DD-WRT / Monowall

Review a seprate manaual.
Chillispot - Software based to be deployed on a Linux PC. MonoWall - Firewall Based Access controller can be installed on a PC or embedded Solution. (Hardware: Embedded Wrap Board 1E1 $209 Indoor) or can be installed on most generic PC with dual Ethernet ports

PfSense - Firewall Based Access controller can be installed on a PC or embedded Solution. (Hardware: Embedded Wrap Board 1E1 $209 Indoor)
or can be installed on most generic PC with dual Ethernet ports.

DD-WRT - Open Source firmware to be installed on various Routers (Selected models include WRT54 G/GS, Buffalo WHR-HP-G54, WHR-G54 and many others) Ikarus- by Antcor.

http://www.aradial.com/DownLoads/Linksys-WRT54-DD-WRT-V23-b2.pdf

178

Buffalotech
Review a seprate manaual. It is the same of Chillispot.

Handilink
Review a seprate manaual.

Bluesocket
What information is needed:

1. The IP address of your Aradial Machine in this document we assume it to be 10.10.10.1 2. The IP address of your WG - in this document we assume it to be 10.10.10.20 3. A shared password between WG and Aradial, referred to as RADIUS Secret. This password is used to encrypt (and decrypt) the user password. In this document we assume it to be shared_secret, but choose anything else.
Steps to do on WG:

1. Login. Login into Bluesocket WG web administration page on https://10.10.10.20/admin.pl. In the Sign In Administrator username textbox, type admin and in the Password enter your password. 2. Protected Network configuration. Go to Network -> Protected. If you are using a DHCP server on the protected side of the network to dynamically assign IP settings, check Obtain IP settings from DHCP server for the interface checkbox. If you are assigning IP settings manually, clear the Obtain IP settings from DHCP server for the interface checkbox. Then enter the interfaces IP address and other address settings in the text boxes. The secondary DNS, Default Domain and Hostname are all optional. Choose any remaining optional setting according to your network configuration. Click Save to store the information. 3. Managed network configuration Go to Network -> Managed. - Click the Interface link.

179

A DHCP relay agent running on the protected side of the network dynamically assigns addresses to clients. If you are not running DHCP relay, you can either set the WG to dynamically assign addresses to clients via its resident DHCP server, or you can assign clients fixed IP addresses, or both. To assign a fixed address to the managed interface, enter the IP and netmask addresses in the spaces provided. To assign the managed site interface address dynamically via DHCP, check the Obtain IP settings from DHCP server for the interface checkbox and enter optional DHCP timeout value in the space provided Note: If you assigned a fixed IP address to the protected interface, you must also assign a fixed address to the managed interface. Choose any remaining optional setting according to your network configuration. If you choose to run WG DHCP server, check Run DHCP Server checkbox and enter the IP and netmask addresses of managed interface in the spaces provided. Then go to DHCP Server link. In this page put in the spaces provided according to network configuration. The only one mandatory field is Primary DNS, all the rest are optional. Click Save to store the information. 4. Services configuration. Go to Services -> Services Edit HTTP services from existing services list. In the Port field add to existing 80 port 8000, 8001, 8002 values separated by comma. Click Save to store the information From the Create drop-down list on the Services tab, choose service. In the Name text box put RADIUS. In the Protocol text box select box select UDP. In the Port text box put the port of your Radius Authentication protocol (steps of determining Radius protocol ports will be discussed below). Click Save to store the information. In the Name field put RADACCT. In the Protocol select box select UDP. In the Port field put the port of your Radius Accounting protocol (steps of determining Radius Accounting protocol ports will be discussed below).

180

Click Save to store the information.

5. Setting destination devices. Go to Destinations -> Destinations. From the Create drop-down list on the Destinations tab, choose Host. In the Name field put the desired name of the machine where ARADIAL installed. In the Address field put the IP address of machine where ARADIAL installed. Click Save to store the information. Note: If you need to setup number of devices reachable within the network you can configure Destination group by selecting Destination Group from Create drop-down list on the Destinations tab.

6. Setting Roles. Go to Roles tab. From the Create drop-down list on the Roles tab, choose Role. In the Name field put a desired name for a role. In the Policy fields put the appropriate settings according to your configuration requirements. Choose any remaining optional setting according to your network configuration. Click Save to store the information.

7. Setting External Radius server. Users -> External Authentication Servers From the Create drop-down on the User tab, choose External RADIUS Authentication. Check Enable server checkbox. In the Name text box put the desired name for your external Radius server. In the Server Address text box put IP address of machine where ARADIAL installed or fully qualified domain name. In the Port text box put the port number for your Radius authentication (default is 1812)..

181

In the Shared secret text box put your Radius secret shared between the WG and the Aradial server. In the Default role drop-down select box choose the role you created at step 6. In the Accounting server drop-down select box select Create and you will see new screen for Radius Accounting settings. In the Name text box put the desired name for your external Radius accounting server. In the Server address text box put IP address of machine where Aradial installed or fully qualified domain name. In the Port text box put the port number for your Radius accounting (default is 1813). In the Shared secret text box put your Radius secret shared between the WG and the Aradial server. Click Save to store the information and you will return to the previous screen. Click Save to store the information.

8. General settings Go to General -> HTTP. Please ensure that Allow user logins, Logout popup enabled and External server choice enabled check boxes are checked. If you want authorized users only to be able to connect also uncheck Allow guests logins check box. Click Save to store the information.

Go to General -> DNS. Check the Enable DNS Proxy check box. Check the Enable DNS resolution for local domain names check box. Click Save to store the information.

182

Appendix

D
NAS Configuration Database
How to Configure Aradial for NAS Specific Services.
The NAS Configuration Database, or NASCfgDbs for short, defines how Aradial communicates with each NAS model type. The NAS Configuration Database is in the NASCfgDbs file under the <path to Aradial root directory> \RadDB directory. The NASCfgDbs has three sections: NAS Model Definition This section defines an internal name for each type of NAS. Its format is as follows: MODEL Model_Name Model_Reference_Number Where: The Model_Name may be of up to 31 characters long, and include all standard ASCII characters except for space. The Model_Reference_Number is the number used by Aradial to enumerate the NAS models. For example: MODEL Aradial_NAS_Simulator 99 Service Definition This section defines an internal number for each type of service. Its format is as follows: SERVICE Service_Name Service_Reference_Number Where: The Service_Name may be up to 31 characters long, and include all standard ASCII characters except for space. The Service_Reference_Number is the number used by Aradial to enumerate the available services. Additional NAS Model Attributes Each of these sections defines the services and dictionary for each NAS. Its format is as follows:

183

[Model_Name]

Service_Name{qualifier}:Attribute_Name1=Attribute_Value1,Attribute_Name2=Attribute_Value2,Attribu te_Namen=Attribute_Valuen
{Dictionary=Dictionary_File_Name} {IPInAccountMsgs=Yes|No} {MultiLinkIp=NoIp|NAS|User} Where:

Model_Name is one of the previously defined models in the NAS Model Definition. Service_Name is one of the previously defined services in the Service Definition. -qualifier is an optional qualifier that defines the role of the service section to be either Reply or
Check. A Reply Service section is used for the Access-Accept reply. A Check service section is used to validate the Access-Request message. If no qualifier is used then a default of Reply is assumed. Notice that any given Service may have both Check and Reply sections.

Attribute_Name is the name for a RADIUS attribute. Attribute_Value is a valid value for the RADIUS attribute or a Reference Name.
Valid Reference Names for Attribute_Value are: $FramedAddress Which is the address provided to the user when using a framed protocol. Usually you should use this Reference Name in conjunction with the Framed-Address RADIUS attribute. $FramedFilterId - Which is the name of the ACL filter to use for this connection. Usually you should use this Reference Name in conjunction with the Framed-Filter-Id RADIUS attribute. $LoginHost Which is the address of the host to which the user will login to. Usually you should use this Reference Name in conjunction with the Login-Host RADIUS attribute. $CallbackNumber Which is the number that should be used for a NAS Callback feature. $Custom Which are attributes that were indicated in a Users or Groups Custom Attributes fields.

Dictionary_File_Name is optionally the name of the NAS attributes dictionary file. In most
cases, the default dictionary should be used, in which case you may omit this entry altogether, as it

184

is loaded by default. The dictionary file, if used, must be located in the RadDB directory, along with the NASCfgDBS file. The format of a dictionary file is as following: ATTRIBUTE Attribute_Name Attribute_Number Attribute_Type where:

Attribute_Name is the name of the attribute as accepted by your NAS. You

should refer to your NAS resources (i.e. your NAS documentation and your NAS vendor web site) for further information.

Attribute_Number is the number of the attribute as accepted by your NAS. You

should refer to your NAS resources (i.e. your NAS documentation and your NAS vendor web site) for further information.

Attribute_Type is the type of the attribute as accepted by your NAS. You should
refer to your NAS resources (i.e. your NAS documentation and your NAS vendor web site) for further information. Valid types are: string 0 to 253 octets (bytes). ipaddr 4 octets in network byte order (i.e. aaa.bbb.ccc.ddd). integer 32 bit value in big endian order (i.e. big byte first) date 32 bit value in big endian order of seconds since 00:00:00 GMT, January 1st, 1970. VALUE Attribute_Name Value_Name Value_Number where:

Attribute_Name is the attribute as defined in an ATTRIBUTE tag. Value_Name is a valid value for the attribute. Value_Number is the number that designates the value name. IPInAccountMsgs defines if the NAS sends user IPs in Accounting messages. The default is
Yes.

MultiLinkIp defines how multi link IP assignment should be handled, where: NoIp specifies that no IP address is allocated. NAS specifies that the NAS allocates the IP (returns 255.255.255.254). User specifies that the user will request the IP (returns 255.255.255.253).
The default is NoIp. A special [Default] NAS model is used to define the default services that are shared and may be used by all NAS models.

185

The default dictionary (default.dic), included with Aradial, encompasses the various attributes and their respective values as defined by RFC 2138 and RFC 2139, which are the current de facto standards for RADIUS authentication and accounting. Most NASes support these RFCs, and even have various extensions (i.e. additional attributes/values) which may be defined by additional dictionaries and services. Aradial has several such additional dictionaries which conform to each NAS specifications. Namely, these dictionaries are: 3Com.dic for 3coms range of NASes. Ascend_MAX.dic for Ascends MAX family of NASes. Bay_Networks_Remote_Annex.dic for Bay Networks Remote Annex NASes. Concentic_RemoteLink.dic for Concentric Networks RemoteLink NASes. ITK_NetBlazer.dic for ITKs NetBlazer family of NASes. Livingston_Portmaster.dic for Livingstons Portmaster family of NASes. Livingston_Portmaster_Orig.dic for Livingstons original set of RADIUS attributes. MichNet_Shared_Dial_In.dic for MichNet Shared Dial In services. Shiva_LanRover_AccessSwitch.dic for Shivas LanRover and AccessSwitch families of NASes. US_Robotics_NETServer.dic for USRobotics NETServer family of NASes. UUNet_VIP.dic for UUNets VIP Dial In services. In most cases, other NASes that support RADIUS should use the default dictionary.

NasCfgDbs Split Lines Support

Aradial provides the ability to carry over a service definition over multiple lines.

Please note: The last character of every line in a multi line service definition (except the last) must end with a comma.

Following is a sample multi line definition:

PPP: User-Service-Type=Framed-User, Framed-Protocol=PPP, Framed-Address=$FramedAddress,

186

Framed-Filter-Id=$FramedFilterId, Framed-Netmask=255.255.255.255

187

Appendix

E
HTS Customization
Reference Guide to HTS Customization.
If you have purchased the HTS Customization Kit for Aradial, you may change almost any aspect of Aradial interfaces. HTS files are composed of HTML and Aradial proprietary tags. Before trying to change HTS files, we strongly suggest you get familiar with HTML. Make sure you backup the original HTS files before you change them! HTS files are available under <Aradial path>\HTS and are divided into two sub directories: Admin which holds the HTS files for the Administrator Interface. User which holds the HTS files for the User and New User Interfaces. Open the HTS files using any standard text editor, such as Notepad. We discourage the use of HTML editors, and especially the visual WYSIWYG editors, as these will not recognize Aradial extensions, and may render the HTS file unusable. HTS tags are divided into two categories: DB Column which returns database column values into any HTML tag. DB Table which returns database column values, building an HTML table around them.

DB Column Reference
A DB Column reference has one of the following formats: 1. db_CCCC 2. db_$type_info$ 3. db_$type_info$CCCC
Where: CCCC - DB column name. type_info - Optional type information in the format:

188

{R}{W|G}T{Float flags}{Enumeration_Source_List}

Where: R - The column is required (it cannot have NULL value). If a form is submitted with a null R field, an error is returned, stating the value of the filed may not be null. W - The raw contents of the column is generated, without replacing special HTML characters such as '&'. G - Reserved GET characters (like '%' and '+') are replaced by %nn tags. T - A column type (default = string). S = String. N = Number. F = Floating number. Float flags: {Pn}{C}{Mxxx{/yyy}} Where: Pn = Number of precision digits. C = A comma is used to separate groups of three digits (i.e. 1,000,000). M = Defines a multiplication factor to be used on the column value. This factor is calculated as xxx/yyy. The factor can be used to automatically adjust a column value by multiplying on display and dividing it on input. Note that the factor used on input should be the inverse of the one used for display in order to for the column value to remain consistent. D = Date. T = Time. I = IP Address. E = Enumerated value. The enumeration values are retrieved from a SELECT statement or from a predefined enumeration type identified by an enumeration name. This type should be used in the following way: <SELECT NAME="db_xxxx"> @db_$E{Enumeration_Source_List}$column_name@ </SELECT>

189

This function will generate an <OPTION> or <OPTION SELECTED> clause for each enumeration value. Enumeration_Source_List = A '&' separated list of one or more Enumeration_Source. Enumeration_Source = {Select_statement | Values_list| Value_Pair_list Enumeration_name } Where: Select_statement An SQL SELECT statement that generates the enumeration values. It may produce one or two columns in the result set. If it produces two columns, then the first one is treated as the enumeration value and the second is treated as the display value. If it produces on column, then this column is treated as both the enumeration value and the display value. Values_list - A list of enumeration values in the following format: Values=val1,val2,..,valn. Note that the given values are the display values, while the actual values are the sequence 1..n. Values_Pair_list - A list of enumeration value pairs in the following format: ValuePairs=pair1,pair2,.., pairn. Where pairx is in the following format: display_value=enumeration_value enumeration_name - A predefined enumeration name. L = Lookup value. Lookup values are the same as enumeration values, except, instead of creating <OPTION> ... clauses, the DB reference is simply replaced with the enumerated value according to the integer value of the DB column. C = Checkbox. Checkbox type may be used for Boolean columns. Use a checkbox type in the following way: <INPUT TYPE=CHECKBOX @db_$C$xxxx@> Where: output_value = The value that will be sent to the server if the checkbox is checked. @db_$C$xxxx@ = When displaying, the $db_$C$xxxx will be replaced with: checked - If the column value is non-zero. NAME="db_xxxx" VALUE="output_value" |

190

Null - If the column value is zero. When the checkbox is unchecked, then no value will be sent to the server for the checkbox. So, in order to know that the server script must test for the existence of the checkbox. In order to overcome this, the following hidden control should be added. <INPUT TYPE=HIDDEN NAME=db_$C$xxxx VALUE="output_value"> Where: xxxx = The name of the column used in the checkbox. Note that here the $C$ tag is used, and in the checkbox itself the nametag doesn't use it. output_value = The value the column will receive if the checkbox is unchecked. When processing the HTTP parameters, if a $C$ parameter is encountered, then the same DB column but without the $C$ is looked for. Only if it is not found then this value is used. A = ASCII. The value returned to the server is checked for ASCII characters. If any of the characters are nonASCII, the server rejects the value. Bn = Minimum number of characters. The value returned to the server is checked for a minimum of n characters. If the number of characters is less than n, the server rejects the value.

DB Table Reference
A db table reference has the following format: dbtable:column ';' column ';' ....
Where: column - A table column reference (see DB Column). A cell reference may contain raw data that will not be replaced. Raw data is enclosed by '#'. For example: #Name=#db_Name The generated column will be <TD> Name=name_field_value </TD>. The ';' character may be used in raw data by substituting it with '\;'.

191

Appendix

F
Aradial Appenfix Manuals
Aradial has more manuals for specific configurations

General
SSL Generation: C:\Program Files\Aradial\Docs\SSL-Generation.pdf TCL Language manual: C:\Program Files\Aradial\Docs\ARADIAL TCL Script Language Plugin.pdf Aradial Services: C:\Program Files\Aradial\Docs\Aradial Services.pdf Aradial Flow Algorithm: C:\Program Files\Aradial\Docs\Aradial Flow Engine Configuration Guide.pdf Activity log: c:\Program Files\Aradial\Docs\ActivityLog.pdf

Generate users and print

http://www.aradial.com/DownLoads/Generated-users-export-and-mail-merge.pdf

Bandwidth Managment
Mikrotik : http://www.aradial.com/DownLoads/Mikrotik-BandWidth-Control.pdf Other NAS/Access controllers ask for manual.

192